Reading Time: 2 minutes
A malware that replaces the bitcoin wallet address in clipboard has been found on Google Play.

This kind of malware is not a novel concept but is new within the Android horizon.

The security researcher from ESET, Lukas Stefanko, has discovered for replacing the clipboard content on the victim’s devices.

This kind of malware is known as Clipper malware and, now, is new to Android users.

It intercepts the content of the clipboard and replaces it with what the attacker wants to subvert. In the case of a cryptocurrency transaction, the affected user might end up with the copied wallet address quietly switched to one belonging to the attacker.


 

Dubbed Android/Clipper.C by researchers; the malware leveraging the fact that cryptocurrency users do not normally enter the addresses of their online wallets manually. Instead of typing, users copy and paste the addresses using the clipboard.

That is where the malware replaces the address of the victim with another belonging to the attacker.

The clipper we found lurking in the Google Play store, detected by ESET security solutions as Android/Clipper.C, impersonates a legitimate service called MetaMask. The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds. However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker.

 

Fig-1

 

The malware was originally found in the MetaMask app. This app is a browser plugin that allows users to make Ethereum transactions through regular websites.

The plugin is also currently available on Chrome, Firefox and Brave browser. However, the company does not have an app for Android or iOS devices which means that attackers were using a fake version of MetaMask to steal their funds.

The malware was initially noted on Play Store on February 1, 2019.

The finding was also reported to the Google Play security team, who removed the app from the official store.