Another malicious cryptocurrency-stealing app found on Google Play

• The malware disguised in the form of a cryptocurrency app replaced crypto wallet addresses of users with that of attackers.
• This “clipper” malware manipulates contents in the Android clipboard to inject the attackers’ wallet addresses instead of the users' wallet addresses.

Android app store Google Play was found harboring yet another malicious app in its platform. This app stole cryptocurrency from users who installed it on their devices.

According to IT security company ESET which exposed this app, it primarily targeted users’ cryptocurrency wallet credentials and keys, while it also replaced their wallet addresses with that of the attackers’, whenever copied to the clipboard.

So, when users deposited crypto related funds through this, they were actually being sent to the attackers’ address. In reality, the app is a malware that banks on Android clipboard’s copy-and-paste function. Dubbed as Android/Clipper.C, the malware’s primary aim is to steal user credentials to take over users’ Ethereum wallets.

Impersonating MetaTask

The app portrayed itself as a service known as MetaMask -- which allows running Ethereum decentralized apps(dApps) on browsers.

“This attack targets user who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node," explained the researchers about the target users.

However, MetaTask does not offer a mobile app currently so the attackers impersonated MetaTask to target its userbase. And this was not the first instance of a malicious app trying to impersonate the legitimate service.

"...the service currently does not offer a mobile app – only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds,” stated the ESET researchers in their blog.

After ESET informed Google of the malicious application, the tech giant removed the app from Google Play. Lately, clipper malware has become the go-to method for cybercriminals to effortlessly steal cryptocurrencies from users.