Devilishly Ingenious: First Android Trojan Clipper on Google Play Steals Users' Crypto

TL;DR: “The first Android cryptocurrency clipboard exchanger found on Google Play,” announced Lukas Stefanko, an Android malware researcher for leading cybersecurity firm ESET. “Its goal is to change copied address of cryptocurrency wallet of recipient for the attacker’s. Malware also impersonates [MetaMask] service and lures PK, password or phrase,” he explained. 

More Spice: Bitcoin White Paper Webcomic by Comics Legend Scott McCloud

Google Play App Impersonating, Stealing Crypto from Unsuspecting Users

Copy and pasting is a well worn practice for most crypto users. Typing, due to addresses of online wallets being so long and particular, is just not practical. Clippers are malware designed to exploit such expediency. “It intercepts the content of the clipboard and replaces it surreptitiously with what the attacker wants to subvert. In the case of a cryptocurrency transaction, the affected user might end up with the copied wallet address quietly switched to one belonging to the attacker,” Stefanko detailed.

Their popularity has grown to the point of now hopping onto Android application stores such as Google Play. “ESET researchers even discovered one hosted on download.cnet.com, one of the most popular software-hosting sites in the world,” Stefanko noted. By summer of last year, the first clipper for Android was sold on underground forums. What’s first or different this time around is its entrance into the Google Apps store.

Devilishly Ingenious: First Android Trojan Clipper on Google Play Steals Users' Crypto
Android/Clipper.C impersonating MetaMask on Google Play

This clipper “impersonates a legitimate service called MetaMask. The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds. However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker,” Stefanko claimed.

Malware researchers at ESET discovered the clipper on 1 February 2019, reporting it to Google Play, and it has since been removed. That does not, of course, mean those who downloaded it unknowingly are any safer. “This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app – only add-ons for desktop browsers such as Chrome and Firefox,” he detailed at the blog We Live Security.

Devilishly Ingenious: First Android Trojan Clipper on Google Play Steals Users' Crypto

Advice for avoiding such problems in the future include keeping devices updated, using the “official Google Play store,” and “always check the official website of the app developer or service provider for the link to the official app.” It might help as well if users compare what they’re copying to what’s pasted, and vice versa.

Devilishly Ingenious: First Android Trojan Clipper on Google Play Steals Users' CryptoCONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.