Researchers have blown the lid off a sophisticated malware system primarily targeting Chinese users through copycat apps on Android and iOS that mimic legitimate digital wallet services to siphon off cryptocurrency funds.
“These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey,” noted Lukáš Štefanko, Senior Malware Researcher at ESET in a report shared with The Hacker News.
The wallet services were allegedly distributed through a network of over 40 counterfeit wallet websites that are promoted using deceptive articles posted on legitimate Chinese websites, as well as recruiting middlemen through Telegram groups and Facebook, in an attempt to trick unsuspecting visitors into downloading the malicious apps.
ESET, which has been tracking the campaign since May 2021, attributed it to the work of a single criminal group. Trojanized cryptocurrency wallet apps are designed to replicate the same functionality as their original counterparts, while also incorporating malicious code modifications that enable the theft of crypto assets.
“These malicious applications also pose another threat to victims, as some of them send victims’ passphrases to the attackers’ server using an insecure HTTP connection,” Štefanko said. “This means that victims’ funds could be stolen not only by the operator of this scheme, but also by another attacker eavesdropping on the same network.”
The Slovak cybersecurity firm said it found dozens of groups promoting malicious copies of these wallet apps on the Telegram messaging app, which were in turn shared across at least 56 Facebook groups in hopes of finding new distribution partners for the fraudulent scheme.
“Based on information acquired from these groups, a person distributing this malware is offered a 50% commission on stolen wallet content,” ESET noted.
In a unique twist, the apps, once installed, are configured differently depending on the operating system of the compromised mobile devices. On Android, the apps are aimed at cryptocurrency users who don’t yet have any of the targeted wallet apps already installed, while on iOS, victims can have both versions installed.
It should also be pointed out that fake wallet apps are not directly available on the iOS App Store. Rather, they can only be downloaded by visiting one of the malicious websites using setup profiles to install apps not verified by Apple and from sources outside the App Store.
The investigation also uncovered 13 malicious apps impersonating the Jaxx Liberty Wallet on the Google Play Store, all of which were removed from the Android app market in January 2022. They were collectively installed over 1,100 times. .
“Their goal was simply to unravel the user’s recovery seed phrase and send it either to the attackers’ server or to a secret Telegram chat group,” Štefanko said.
As the threat actors behind the operation are actively recruiting partners via social media and messaging apps and offering them a percentage of the stolen digital currency, ESET warns that the attacks could spread to other parts of the world in the future.
“Furthermore, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread this threat even further,” Štefanko added.