Dozens of malicious apps posing as crypto wallets have appeared online that aim to steal users’ funds around the world. According to a research-based report, these apps were available for both Android and iOS users under a complex plan. The malicious apps in question were found impersonating crypto wallets such as Coinbase, ImToken, MetaMask, Trust Wallet, BitPay, TokenPocket and OneKey. The Trojanized crypto wallet was first discovered in May 2021 and was initially targeted at Chinese users. However, as cryptocurrencies become more popular, malicious techniques used by attackers can be extended to users around the world.
internet security firm ESET Is Reported Discovery of malicious crypto wallet that appears to be available to both Android And iOS the user.
Research by ESET found a sophisticated scheme operated by some unknown attackers and identified more than 40 popular impersonating websites crypto Wallets These websites target mobile users and force visitors to download malicious wallet apps to them by various techniques.
Although early evidence suggested the target may have been Chinese users, it was later found that the scheme could be aimed at anyone who is using the English language on their phone.
“They are not just targeting Chinese users, as most of the distributed fake websites and apps are in the English language. Because of that, I believe it can affect anyone in the world (if they speak English),” Lucas Stefanko, malware analyst at ESET, told Gadgets 360.
The first trace of the distribution vector of a Trojanized wallet was observed in May 2021. According to the report, the attackers used various Telegram groups to enroll people to distribute the malicious apps.
Based on the information received, the researchers found that the attackers were paying people a 50 percent commission on the stolen contents of the wallet. The aim was to bring more people on board to broadcast malware,
The researchers also observed that Telegram groups were shared and promoted in certain Facebook groups, with the goal of discovering more distribution partners for the malware. This could eventually expand the scope of malicious attacks by getting intermediaries to target individuals.
According to the researchers, malware apps were pretending to work as legitimate crypto wallets, such as imToken, Bitpie, MetaMask, TokenPocket, and OneKey.
The researchers said that the apps behaved differently depending on the operating system on which it was installed.
On Android, the app targeted new crypto users who do not have a legitimate Wallet app installed on their device. Wallet apps were using the same package name to disguise themselves as their original counterparts. However, they were signed using a different certificate. This restricts these apps to not overwrite the official wallet on the device.
However, on iOS, malicious crypto wallet apps can be installed side-by-side with their legitimate version. Malicious apps will only be installed through third-party source, although may be from the official version app Store,
Once installed, the researchers found that the apps could steal the seed phrases generated by the crypto wallet to provide access to the crypto associated with that wallet. These phrases were seen being shared with attackers’ servers or secret Telegram chat groups.
ESET researchers also discovered 13 fake wallet apps Google Play Stores that were removed in January based on their request. The apps impersonated the legitimate Jaxx Liberty Wallet app and were installed over 1,100 times.
The researchers recommend users to download and install apps only from official sources, such as Google Play in the case of Android and Apple’s App Store for iPhone consumers. It is also recommended to the users that if they find apps of malicious nature then uninstall them quickly. In case of iOS, users should also remove the configuration profile of malicious apps by going to Adjustment , Mango , VPN and Device Management Once the apps are installed.
Users who are planning to enter the crypto world and want to set up a new wallet are recommended to only use a trusted device and app before transferring any of their hard-earned money .
“Given that attackers know all of the victim’s transaction history, attackers cannot immediately steal funds and wait for a better opportunity once more coins are accumulated,” Stefanko wrote in the report.