13 Apps Removed After Researchers Discover Trojan Crypto Wallet Scheme


Research by cybersecurity firm ESET has uncovered a “sophisticated scheme” that spreads Trojan horse apps disguised as popular cryptocurrency wallets.

The malicious scheme targets mobile devices using Android or Apple (iOS) operating systems which are compromised if the user downloads a fake app.

According to ESET research, these malicious apps are distributed via fake websites and imitate legitimate crypto wallets, including MetaMask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken and OneKey.

The firm also discovered 13 malicious applications posing as the Jaxx Liberty wallet, available on the Google Play Store. Google has since removed the offending apps, which have been installed more than 1,100 times, but there are still many more lurking on other websites and social media platforms.

Threat actors have been spreading their wares through social media groups on Facebook and Telegram, intending to steal crypto assets from their victims. ESET claims to have discovered “dozens of Trojan cryptocurrency wallet apps”, dating back to May 2021. It also said the program, which it says is the work of a group, mainly targets Chinese users through Chinese websites.

Lukáš Štefanko, the researcher who unraveled the pattern, said there are other threat vectors, such as sending seed phrases to the attacker’s server using insecure connections, adding:

“This means that victims’ funds could be stolen not only by the operator of this scheme, but also by another attacker eavesdropping on the same network.”

Fake wallet apps behave slightly differently depending on where they are installed. On Android, it targets a new cryptocurrency that the user may not have traded before, prompting the user to install the appropriate wallet. On iOS, apps must be downloaded using arbitrary trusted code signing certificates bypassing Apple’s App Store. This means the user can have two wallets installed simultaneously, the real one and the Trojan, but poses less of a threat since most users rely on App Store verification for their apps.

Related: Beware the Hodlers! New malware targets MetaMask and 40 other crypto wallets

ESET advises cryptocurrency investors and traders to only install wallets from trusted sources linked to the exchange’s or company’s official website.

In February, Google Cloud unveiled the Virtual Machine Threat Detection (VMTD) system, which searches for and detects “cryptojacking” malware designed to divert resources to exploit digital assets.

According to a January Chainalysis report, cryptojacking accounted for 73% of the total value received by malware-related wallets and addresses between 2017 and 2021.


Comments are closed.