The scheme, which has been in operation since May 2021, targeted Chinese users through social media groups and fake websites.
Research by cyber security firm ESET has uncovered a “sophisticated scheme” that disseminates Trojan apps disguised as popular cryptocurrency wallets.
The malicious scheme targets mobile devices using Android or Apple (iOS) operating systems which become compromised if the user downloads a fake app.
According to ESET’s research, these malicious apps are distributed through bogus websites, and imitate legitimate crypto wallets, including MetaMask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey.
The firm also discovered 13 malicious apps impersonating the Jaxx Liberty wallet, available on the Google Play Store. Google has since removed the offending apps, which were installed more than 1,100 times, but there are still many more lurking out there on other websites and social media platforms.
The threat actors disseminated their wares through social media groups on Facebook and Telegram, intending to steal crypto assets from their victims. ESET claims to have uncovered “dozens of trojanized cryptocurrency wallet apps,” going back to May 2021. It also stated that the scheme, which it believes is the work of one group, was primarily targeting Chinese users via Chinese websites.
Lukáš Štefanko, the researcher who unraveled the scheme, said that there were other threat vectors, such as sending seed phrases to the attacker’s server using unsecured connections, adding:
“This means that victims’ funds could be stolen not only by the operator of this scheme but also by a different attacker eavesdropping on the same network.”
The fake wallet apps behave slightly differently depending on where they are installed. On Android, it targets a new cryptocurrency that the user may not have previously traded, prompting the user to install the appropriate wallet. While on iOS the apps need to be downloaded using arbitrary trusted code-signing certificates circumnavigating Apple’s App Store. This means that the user can have two wallets installed simultaneously, the genuine one and the Trojan, but poses less of a threat since most users rely on App Store verification for their apps.
ESET advises cryptocurrency investors and traders to only install wallets from trusted sources that are linked to the official website of the exchange or company.
In February, Google Cloud unveiled the Virtual Machine Threat Detection (VMTD) system, which scans for and detects “cryptojacking” malware designed to hijack resources to mine digital assets.
According to a January Chainalysis report, cryptojacking accounted for 73% of the total value received by malware-related wallets and addresses between 2017 and 2021.