Researchers have blown the lid off a sophisticated malicious scheme primarily targeting Chinese users via copycat apps on Android and iOS that mimic legitimate digital wallet services to siphon cryptocurrency funds.
“These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey,” said Lukáš Štefanko, senior malware researcher at ESET in a report shared with The Hacker News.
The wallet services are said to have been distributed through a network of over 40 counterfeit wallet websites that are promoted with the help of misleading articles posted on legitimate Chinese websites, as well as by means of recruiting intermediaries through Telegram and Facebook groups, in an attempt to trick unsuspecting visitors into downloading the malicious apps.
ESET, which has been tracking the campaign since May 2021, attributed it to the work of a single criminal group. The trojanized cryptocurrency wallet apps are crafted in such a manner that they replicate the same functionality of their original counterparts, while also incorporating malicious code changes that enable the theft of crypto assets.
“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection,” Štefanko said. “This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network.”
The Slovak cybersecurity company said it found dozens of groups promoting malicious copies of these wallet apps on the Telegram messaging app that were in turn shared on at least 56 Facebook groups in hopes of landing new distribution partners for the fraudulent scheme.
“Based on the information acquired from these groups, a person distributing this malware is offered a 50 percent commission on the stolen contents of the wallet,” ESET noted.
In a unique twist, the apps, once installed, are configured differently depending on the operating system of the compromised mobile devices. On Android, the apps are aimed at cryptocurrency users who do not yet have any of the targeted wallet applications already installed, while on iOS, the victims can have both versions installed.
It’s also worth pointing out that fake wallet apps are not directly available on the iOS App Store. Rather they can only be downloaded by visiting one of the malicious websites using configuration profiles that make it possible to install applications that are not verified by Apple and from sources outside the App Store.
The investigation also unearthed 13 rogue apps that masqueraded as the Jaxx Liberty Wallet on the Google Play Store, all of which since been removed from the Android app marketplace as of January 2022. They were collectively installed more than 1,100 times.
“Their goal was simply to tease out the user’s recovery seed phrase and send it either to the attackers’ server or to a secret Telegram chat group,” Štefanko said.
With the threat actors behind the operation actively recruiting partners through social media and messaging apps and offering them a percentage of the stolen digital currency, ESET warns that the attacks could spill over to other parts of the world in the future.
“Moreover, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread this threat even further,” Štefanko added.