This kind of malware is not a novel concept but is new within the Android horizon.
The security researcher from ESET, Lukas Stefanko, has discovered for replacing the clipboard content on the victim’s devices.
This kind of malware is known as Clipper malware and, now, is new to Android users.
It intercepts the content of the clipboard and replaces it with what the attacker wants to subvert. In the case of a cryptocurrency transaction, the affected user might end up with the copied wallet address quietly switched to one belonging to the attacker.
The First Android cryptocurrency clipboard exchanger found on Google Play.
Its goal is to change copied address of cryptocurrency wallet of recipient for the attacker’s.
Malware also impersonates @metamask_io service and lures PK, password or phrase.https://t.co/tInkzv9kcS pic.twitter.com/2tDqfNimUJ
— Lukas Stefanko (@LukasStefanko) February 8, 2019
Dubbed Android/Clipper.C by researchers; the malware leveraging the fact that cryptocurrency users do not normally enter the addresses of their online wallets manually. Instead of typing, users copy and paste the addresses using the clipboard.
That is where the malware replaces the address of the victim with another belonging to the attacker.
The clipper we found lurking in the Google Play store, detected by ESET security solutions as Android/Clipper.C, impersonates a legitimate service called MetaMask. The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds. However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker.
The malware was originally found in the MetaMask app. This app is a browser plugin that allows users to make Ethereum transactions through regular websites.
The plugin is also currently available on Chrome, Firefox and Brave browser. However, the company does not have an app for Android or iOS devices which means that attackers were using a fake version of MetaMask to steal their funds.
The malware was initially noted on Play Store on February 1, 2019.
The finding was also reported to the Google Play security team, who removed the app from the official store.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.