Ethereum Stealing Malware Caught Hiding in Google’s Android App Store

Malware making it to the Google Play Store isn’t a new thing, but an ESET security researcher recently came across what’s likely the first clipper malware on Android.

Detected by ESET as Android/Clipper.C, the clipper malware was published in the Google Play Store on February 1 and tried to sabotage Ethereum transfers by replacing the wallet addresses in the clipboard with the ones of its creator.

Basically, whenever users tried to transfer digital coins to someone else and copied their wallet address to the clipboard, the malware kicked in and replaced this address with the one belonging to its developer.

When the transfer was complete, the funds ended up being transferred to the malware author, ESET explains in a technical analysis of the malware. Additionally, the clipper malware also tried to steal credentials required to manage Ethereum funds.

“This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app—only add-ons for desktop browsers such as Chrome and Firefox,” ESET security researcher Lukas Stefanko explains.

Infected app already removed

The malware has already been reported to Google, which removed the app from the Google Play store. But ESET’s security researcher warns that cryptocurrency-stealing malware is getting more complex and gains new capabilities that help them hide their purpose.

“Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds,” the analysis shows.

The researcher recommends users to stick with more popular apps that have a bigger number of downloads, but also to check the official website of the developer to make sure the app they want to install is legit.


Leave a Reply

Your email address will not be published. Required fields are marked *