The cybersecurity company has discovered and tracked a sophisticated malicious cryptocurrency plot that targets mobile devices with operating systems Android or iOS. Malicious applications are distributed through fake web pages, mimicking legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. These fake websites are promoted with advertisements placed on legitimate pages using deceptive articles. In addition, those responsible for the threat are recruiting intermediaries through Telegram and Facebook groups to continue distributing this malicious network.
The main goal of malicious apps is to steal user funds, and so far ESET Research has seen that this scheme is mainly targeting to Chinese users. As cryptocurrencies are gaining in popularity, ESET hopes that these techniques will spread to other markets.
In early May 2021, an investigation by this company uncovered dozens of crypto wallet apps. trojanized cryptocurrencies. This is a sophisticated attack vector, as the malware author performs an in-depth analysis of legitimate applications misused in this fabric, allowing their own malicious code to be inserted into hard-to-detect places, while ensuring that that these manipulated applications have the same functionality as the original ones. At this time, ESET Research believes this is likely to correspond to the work of a single criminal group.
“These malicious apps also pose another threat to victims, as some of them send victim passwords to the attackers’ server. using an insecure HTTP connection. This means that victims’ deposits could be stolen not only by the operator of this network, but also by a different attacker spying on the same network.”, says Lukáš Štefanko, an ESET researcher who discovered this operation. «We have also found 13 malicious applications that impersonate the Jaxx Liberty wallet. These applications were available in the Google Play store».
Attacks concocted in Telegram
On Telegram, a popular free cross-platform messaging application with enhanced privacy and encryption features, ESET has found dozens of groups promoting malicious copies of cryptocurrency mobile wallets.
Presumably these groups were created by the threat actor behind this plot in search of more distribution partners, as this activity has been ongoing since May 2021. As of early October 2021, the cybersecurity discovered that these Telegram groups were being shared and promoted in at least 56 Facebook groups with the same goal: look for more distribution partners. In November 2021, the company also detected the distribution of malicious wallets using two legitimate Chinese websites.
In addition to these distribution vectors, ESET has discovered dozens of other fake wallet websites that exclusively target mobile users. Visiting one of these websites can lead a potential victim to download a Trojanized wallet app for Android and iOS.
On the other hand, the malicious app behaves differently depending on the operating system on which it is installed. On Android, it seems to be targeting new cryptocurrency users who do not yet have a legitimate wallet app installed on their devices. On iOS, the victim can have both versions installed: the legitimate one from the App Store and the malicious one from a website.
As for iOS, these malicious apps are not available on the App Store; they must be downloaded and installed using configuration profiles, which add an arbitrary trusted code signing certificate. Regarding Google Play, following our request as a partner of Google App Defense AllianceAs of January 2022, Google has removed 13 malicious apps found on the official store.
Furthermore, it seems that the source code of this threat has been leaked and shared on some Chinese websites, which could attract various attackers and spread this threat further.
«Currently the price of bitcoin has fallen by almost half since its all-time high about four months ago. For crypto investors, this could be a time to panic and withdraw their funds, or for newcomers to jump at this opportunity and buy crypto at a lower price. If you belong to one of these groups, you should carefully choose which mobile application to use to manage your funds”, Štefanko advises.