Antivirus maker and Internet security company ESET uncovered a complex malicious cryptocurrency scheme that has been targeting mobile users on Android and iOS since May last year.
The scheme itself is thought to be the work of a criminal group and uses malicious apps distributed via fake sites to steal bitcoin and other cryptocurrencies from unsuspecting users. These malicious apps mimic popular cryptocurrency wallets including Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey.
Those behind the scheme use advertisements placed on legitimate sites with illusory articles to encourage fake sites that distribute these imitated wallet apps. However, cybercriminals have also recruited mediators through groups on Telegram and Facebook. Although the main objective of the scheme is to steal user funds, ESET Research primarily noted that Chinese users were the target, but with the growing popularity of cryptocurrencies, the company's security scholars expect the techniques employed to spread to other markets.
The ESET scholar who discovered the program, Lukáš Štefanko, gave ancillary information on how it works in a press release, saying:
“These malicious apps also pose another threat to victims, as some send secret seed sentences to victims to the attackers' server over an insecure HTTP connection. This means that victims' funds could be stolen not only by the operator of this scheme, but also by another attacker eavesdropping on the exact same network. We also discovered thirteen malicious applications masquerading as the Jaxx Liberty wallet. These apps were free on the Play Store.
An elaborate scheme
Starting in May of last year, ESET security researchers discovered dozens of trojanized cryptocurrency wallet apps.
What distinguishes this system from other crypto scams is the fact that the malware creator did extensive analysis of legitimate crypto applications to insert their malicious code in places where it would be quite difficult to detect. At the same time, they also made sure that the fake apps they created had exactly the same functionality as the original ones.
ESET has found dozens of outfits promoting malicious copies of cryptocurrency wallets on Telegram since May XNUMX. Since October of last year, these Telegram bundles have been shared and promoted on at least fifty-six Facebook bundles to locate even more distribution partners. Then, in the month of November, ESET noticed that these fake cryptocurrency wallet apps were being distributed on two legitimate Chinese sites.
These malicious apps also behave differently on Android and iOS. On Android, they target new cryptocurrency users who do not yet have a wallet app installed on their devices, while on iOS, victims can have both a legitimate and malicious wallet app installed.
Since the source code for this scheme has been leaked and shared on multiple Chinese sites, it could potentially entice other cyber criminals to spread it further. For such reason, users interested in buying, selling and holding cryptocurrencies should only download crypto wallet apps from the Apple App Store or Play Store.