ESET recommends that cryptocurrency investors and traders only install wallets from trusted sources
A study by cybersecurity firm ESET has uncovered a “complex scheme” that distributes Trojan apps disguised as popular cryptocurrency wallets. The scheme, in place since May 2021, targets Chinese users through social media groups and fake websites.
The malicious scheme targets Android or Apple (iOS) mobile devices, which are at risk if a user downloads a fake app.
According to ESET research, these malicious applications are distributed through fake websites and mimic legitimate crypto wallets, including MetaMask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken and OneKey.
The firm also found 13 malicious apps posing as the Jaxx Liberty wallet available on the Google Play store. Since then, Google has removed the offending apps that have been installed more than 1,100 times, but there are many more on other websites and social media.
The attackers distributed their applications through groups on social networks and Telegram, intending to steal crypto assets from their victims. ESET claims to have detected “dozens of trojanized cryptocurrency wallet applications” since May 2021. She also stated that the scheme, which she believes is the work of one group, was primarily aimed at Chinese users through Chinese websites.
Lukasz Stefanko, the researcher who uncovered the scheme, said there were other threat vectors, such as sending seed phrases to an attacker’s server using insecure connections.
“This means that the funds of the victims can be stolen not only by the operator of this scheme, but also by another attacker listening on the same network,” Stefanko said.
Fake wallet apps behave a little differently depending on where they are installed. On Android, it targets a new cryptocurrency that the user may not have traded before, prompting the user to install the corresponding wallet. Whereas on iOS, apps need to be downloaded using arbitrary trusted code signing certificates, bypassing the Apple App Store. This means that a user can have two wallets installed at the same time, a genuine one and a Trojan, but it poses less of a threat since most users rely on the App Store to verify their apps.
ESET recommends that cryptocurrency investors and traders only install wallets from trusted sources linked to the official website of the exchange or company.
In February, Google Cloud introduced Virtual Machine Threat Detection (VMTD), which scans and detects malware designed to mine digital assets using captured user computing resources.
According to a January report by Chainalysis, between 2017 and 2021, cryptojacking accounted for 73% of the total value generated by malware-related wallets and addresses.