Cryptocurrency users and enthusiasts are being targeted by malicious actors with fake wallet apps that steal their precious tokens, researchers have found.
Confiant cybersecurity researchers have discovered that some of the world’s most popular cryptocurrency wallets are being counterfeited by clones (opens in new tab) that carry malware.
Coinbase, MetaMask, TokenPocket and imToken are among those affected, with threat actors creating apps that are seemingly identical to the legitimate ones, but with one key difference – they carry a backdoor capable of stealing people’s passphrases. The passphrase, or passkey, is a string of words used to retrieve or load an existing wallet in the new application.
Tens of millions of potential targets
People use it when they forget their passwords, install the app on a new endpoint, or need to carry a wallet on a different device.
Being malicious, these apps cannot be found in official app repositories like Play Store or App Store. Instead, threat actors rely on distributing the application via web pages, which they promote via black SEO techniques, SEO poisoning, social media marketing, forum promotions, malicious advertising, etc.
The researchers couldn’t say how many people were tricked into downloading these apps, but Coinbase’s app alone has over 10 million downloads on Android alone.
As for victims, the attackers seem to be targeting mainly the Asian population. Baidu search engine results were the most impacted by the campaign as they drive “large amounts” of traffic (opens in new tab) to the websites that host the malicious applications.
The attackers themselves appear to be Asian as well. Confiant calls them SeaFlower and believes they are Chinese due to subtle hints such as the language of comments in the source code, the location of the infrastructure, and the frameworks and services used.
The campaign appears to have been active since at least March of this year, Confiant says, adding that it is “the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group.”
Through: BleepingComputer (opens in new tab)