iPhone and Android users lose cryptocurrency due to copycat apps

Experts report that apps mimicking legitimate digital wallet services manage to siphon funds from smartphone users

Trojanized applications mimic legitimate cryptocurrency wallet services

Researchers uncover the scheme that uses trojanized Android and iOS apps that pose as popular cryptocurrency wallets. The malicious scheme primarily targets Chinese users.^[1] According to research,^[2] these applications were able to steal secret seed phrases by impersonating Coinbase, imToken, Metamask, Trust Wallet, Bitpie, TonekPocket, and other applications. Dozens of trojanized applications got discovered since May 2021.

The malicious actors carried out the in-depth analysis of the legitimate applications and these adversary-in-the-middle attacks,^[3] and insertion of their own malicious code could happen. The insertion happened to places where it would be hard to detect, and the functionality of the crafted apps has not been affected, so remains the same as the original app. The main goal of such malicious applications is to steal funds from users.

Their goal was simply to tease out the user's recovery seed phrase and send it either to the attackers' server or to a secret Telegram chat group

The campaign involves promotional content on 40 counterfeit wallet websites that are additionally marketed on articles on legitimate Chinese sites. Also attaches recruit intermediaries through Telegram, Facebook. Unsuspected users can be tricked into downloading these malicious apps easily this way.

Malicious apps replicate the functionality of the original

The campaign tracked since last year seems to be controlled by a single criminal group. These trojanized applications are crafted to fully mimic the same functionality of the original counterparts even though the malicious code changes the application and enables the theft of crypto assets.

Apps also represent another threat to victims because some of them send the seed phrases to the attackers. This way victims' funds not only can be obtained by the operator of the scheme, but by the attacker that can possibly eavesdrop on the same network that uses an unsecured HTTP connection.^[4] Once the seed phrase is obtained the content of these wallets can be manipulated.

The promotional material online used to market these malicious application copes can be found on various services. Researchers also found at least 56 Facebook groups with posts about possible partners for the fraudulent scheme:

Based on the information acquired from these groups, a person distributing this malware is offered a 50 percent commission on the stolen contents of the wallet

Universal OS application configuration

Once the app is installed on the smartphone, the configurations can be altered depending on the OS that the mobile device which is compromised runs on. Android applications are focused on cryptocurrency users who do not have any of the mimicked applications installed already. On iOS, malicious applications can be installed where the original app is already downloaded.

The latter version for iOS is even available on App Store. The investigation also showed that there are 13 unearthed applications that masquerade as the Jxx Liberty Waller on the Google Play store. Those have already been removed from the Android app marketplace. However, before the takedown in January, these applications were installed more than 1100 times.

Thinking about the cryptocurrency and growing popularity^[5] of the field, it is believed that these schemes can get more advanced and serious. ESET warns that such attacks can begin in other parts of the world and target other users, different applications, and services. Also, the source code of the threat is publicly available on Chinese websites, so threat actors can spread these campaigns further.