Hackers use fake apps and wallets to steal your crypto

Hackers use fake apps and wallets to steal your crypto

Cryptocurrency users and enthusiasts are being targeted by malicious actors with fake wallet apps that steal their valuable tokens, researchers have discovered.

Trusted cybersecurity researchers have discovered that some of the world's most popular cryptocurrency wallets are being spoofed by clones (opens in a new tab) containing malware.

Coinbase, MetaMask, TokenPocket, and imToken products are among those affected, with threat actors creating apps seemingly identical to legitimate apps, but with one key difference: they have a backdoor capable of stealing people's security phrases. The passphrase, or secret key, is a string of words used to retrieve or load an existing wallet into the new app.

Tens of millions of potential targets

People use it when they forget their passwords, install the app on a new device, or need to load a wallet on another device.

Being malicious, these apps cannot be found in official app repositories like Play Store or App Store. Instead, threat actors rely on distributing the app via web pages, which they promote via black SEO techniques, SEO poisoning, social media marketing, forum promotions, malicious ads, etc.

The researchers were unable to say how many people were tricked into downloading these apps, but the Coinbase app alone has over 10 million downloads on Android alone.

As for the victims, the attackers seem to mainly target the Asian population. Baidu's search engine results were hit the hardest by the campaign, directing "massive amounts" of traffic (opens in a new tab) to sites hosting the malicious apps.

The attackers themselves also appear to be Asian. Confident calls them SeaFlower and believes they are Chinese based on subtle clues like the language of comments in the source code, the location of the infrastructure, and the frameworks and services used.

The campaign appears to have been active since at least March of this year, Confident says, adding that it is "the most technically sophisticated threat targeting Web3 users, second only to the infamous Lazarus Group."

Via: BleepingComputer (Opens in a new tab)