The antivirus maker and internet security firm ESET has uncovered a sophisticated malicious cryptocurrency scheme that has been targeting mobile users on Android and iOS since May of last year.
The scheme itself is believed to be the work of one criminal group and it uses malicious apps distributed through fake websites in order to steal Bitcoin and other cryptocurrencies from unsuspecting users. These malicious apps mimic popular cryptocurrency wallets including Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken and OneKey.
Those behind the scheme use ads placed on legitimate websites with misleading articles to promote the fake websites that distribute these copycat wallet apps. However, the cybercriminals have also recruited intermediaries through groups on Telegram and Facebook. While the main goal of the scheme is to steal users’ funds, ESET Research has mainly observed Chinese users being targeted but with cryptocurrencies becoming more popular, the firm’s security researchers expect the techniques used in it to spread to other markets.
The ESET researcher who discovered the scheme, Lukáš Štefanko provided further insight on how it works in a press release, saying:
“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection. This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network. We also discovered 13 malicious apps impersonating the Jaxx Liberty wallet. These apps were available on the Google Play store.”
An elaborate scheme
Beginning in May of last year, ESET’s security researchers discovered dozens of trojanized cryptocurrency wallet apps.
What sets this scheme apart from other crypto scams though is the fact that the author of the malware carried out in-depth analysis of legitimate crypto apps in order to insert their own malicious code in places where it would be hard to detect. At the same time, they also ensured that the fake apps they created had the same functionality as the originals.
ESET found dozens of groups promoting malicious copies of cryptocurrency wallets on Telegram since May of 2021. Beginning in October of last year, these same Telegram groups were shared and promoted in at least 56 Facebook groups to look for even more distribution partners. Then in November, ESET spotted these fake cryptocurrency wallet apps being distributed on two legitimate Chinese websites.
These malicious apps also behave differently on Android and iOS. On Android they target new cryptocurrency users that don’t already have a wallet app installed on their devices while on iOS, the victims can have both a legitimate and a malicious wallet app installed.
As the source code of this scheme has been leaked and shared on several Chinese websites, it could attract other cybercriminals to spread it even further. For this reason, users interested in buying, selling and storing cryptocurrencies should only download crypto wallet apps from either the Apple App Store or the Google Play Store.
