ESET Research discovered and investigated a sophisticated malicious cryptocurrency scheme that targets mobile devices running Android or iOS (iPhones). Malicious apps are distributed via fake websites that look like legitimate wallet services like Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. These bogus websites are promoted through advertisements placed on legitimate websites that contain deceptive content. Furthermore, the threat actors are recruiting intermediaries via Telegram and Facebook groups to spread this malicious scheme. The primary goal of the malicious apps is to steal users’ funds, and ESET Research has observed this scheme primarily targeting Chinese users up to this point. As cryptocurrencies gain popularity, ESET anticipates that these techniques will spread to other markets.
“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection. This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network,” says Lukáš Štefanko, ESET researcher who discovered the scheme. “We also discovered 13 malicious apps impersonating the Jaxx Liberty wallet. These apps were available on the Google Play store,” he adds.
ESET discovered dozens of groups promoting malicious copies of cryptocurrency mobile wallets on Telegram, a free and popular multiplatform messaging app with enhanced privacy and encryption features. We believe these groups were formed by the threat actor behind this scheme in search of additional distribution partners, and this activity has been ongoing since May 2021. We discovered that these Telegram groups were shared and promoted in at least 56 Facebook groups with the same goal – to find more distribution partners – beginning in October 2021. We discovered the distribution of malicious wallets using two legitimate websites in November 2021.
Besides these distribution vectors, we discovered dozens of other counterfeit wallet websites that are targeting mobile users exclusively. Visiting one of the websites might lead a potential victim to download a trojanized wallet app for Android or the iOS platform.
Depending on the operating system on which it was installed, the malicious app behaves differently. It appears to be aimed at new cryptocurrency users who do not yet have a legitimate wallet application installed on their devices on Android. On iOS, the victim can have both versions installed – the legitimate App Store version and the malicious version downloaded from a website.
Moreover, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread this threat even further.
