Malicious software disguised as a full-fledged cryptocurrency wallet was discovered in the Google Play application store by Eset expert Lucas Stefanko, which he wrote about in a blog.
The so-called clipper viruses have been known to Windows users since at least 2017. Last year, the Satori botnet learned how to infect the computers used for mining cryptocurrencies to change the addresses of the wallets to which they sent the extracted cryptocurrency. In August, for the first time, a clipper was discovered that targets Android users and was distributed through a third-party application store. Clipper on Google Play disguised as a popular crypto wallet MetaMask. As Stefanko explained, the primary goal of Android / Clipper is to steal data necessary to gain access to the savings of users in the Ethereum blockchain. It is also capable of replacing addresses of Bitcoin wallets and Ethereum wallets , copied to the clipboard, with the addresses of a hacker.
“This attack is aimed at users of the mobile version of the MetaMask service, designed to launch decentralized Ethereum-based applications in the browser without having to have the full Ethereum node.
This service, however, does not currently have a mobile application — only extensions for desktop browsers, such as Chrome and Firefox, ”writes Stefanko. Earlier, several malicious applications disguised as MetaMask were seen on Google Play, but they were only able to steal critical information to gain access to the victim ’s cryptocurrency funds . ” Stefanko discovered the virus shortly after it appeared on Google Play on February 1. To date, the application has been removed. The expert noted that such a clipper hit the official app store for the first time.
As always, users of cryptocurrency attract increased attention of intruders, so when downloading mobile applications to manage their assets they are advised to contact the official developer site to get a link to this application, and in the case of MetaMask, make sure that such an application does not exist.