ESET Discovers Malicious Crypto Scheme that Targets Android and iOS Users

ESET Research discovered and backtracked a sophisticated malicious cryptocurrency scheme that targets mobile devices using Android or iOS operating systems (iPhones). Malicious apps are distributed through fake websites, mimicking legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. These fake websites are promoted with ads placed on legitimate sites using misleading articles. Furthermore, the threat actors are recruiting intermediaries through Telegram and Facebook groups to further distribute this malicious scheme. The main goal of the malicious apps is to steal users’ funds and until now ESET Research has seen this scheme mainly targeting Chinese users. As cryptocurrencies are gaining popularity, ESET expects these techniques to spread to other markets.

“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection. This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network,” says Lukáš Štefanko, ESET researcher who discovered the scheme. “We also discovered 13 malicious apps impersonating the Jaxx Liberty wallet. These apps were available on the Google Play store,” he adds.

On Telegram, a free and popular multiplatform messaging app with enhanced privacy and encryption features, ESET found dozens of groups promoting malicious copies of cryptocurrency mobile wallets. Besides these distribution vectors, we discovered dozens of other counterfeit wallet websites that are targeting mobile users exclusively. Visiting one of the websites might lead a potential victim to download a trojanized wallet app for Android or the iOS platform.

The malicious app behaves differently depending on the operating system it was installed on. On Android, it appears to target new cryptocurrency users who do not yet have a legitimate wallet application installed on their devices. On iOS, the victim can have both versions installed – the legitimate one from the App Store and the malicious one from a website.

Regarding iOS, these malicious apps are not available on the App Store; they must be downloaded and installed using configuration profiles, which add an arbitrary trusted code-signing certificate.  With regard to Google Play, based on our request as a Google App Defense Alliance partner, in January 2022, Google removed 13 malicious applications found on the official store.

For more technical information, check out the blogpost “Crypto malware in patched wallets targeting Android and iOS devices” on WeLiveSecurity.