The influx of new investors into the crypto space has given cybercriminals new opportunities to target unwanted individuals. Eset security researchers have discovered 40 knockoffs of popular cryptocurrency wallets. These crypto wallets hide malicious trojans designed to steal all your crypto assets.
These malicious apps were able to steal victims’ secret seed phrases (passwords to access crypto wallet) by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey.
For the uninitiated, a crypto wallet This is where all your cryptocurrency lies. This includes your tokens or coins and non-fungible tokens (NFTs).. A crypto wallet can be accessed using a so-called seed phrase, which is equivalent to a password or passcode. Hackers want to gain illegal authorization of your passcode because once they have it, they can steal all your crypto assets.
Distribution channel: Telegram, websites
Telegram is a widely used messaging platform. But it has also become a hub for pirated files and documents and also a popular spot for crypto enthusiasts to get updates an upcoming airdrop, a token or an NFT. However, the messaging platform is now being used by hackers to promote malicious copies of such crypto wallets.
“We believe these groups were created by the threat actor behind this scheme, who is looking for additional distribution partners and suggesting options such as telemarketing, social media, advertising, SMS, third-party channels, fake websites, etc.,” Eset researchers said in a blog post. It is worth noting that all identified groups communicated in Chinese.
These telegram groups serve as a sales channel. According to Eset researchers, any person who distributes this malware is offered a 50 percent commission on the stolen wallet contents.
Not only Telegram channels, but also malicious wallet proliferation took place via two legitimate websites targeting users in China. On these websites, researchers found up to six articles in the “Investment and Financial Management” category promoting cryptocurrency mobile wallets using copycat websites that tricked users into downloading malicious mobile applications claiming to be legitimate and reliable to be. These posts misuse the names of legitimate cryptocurrency wallets such as: imToken, Bitpie, MetaMask, TokenPocket, OneKey, and Trust Wallet.
Targeting Android and iOS users
Hackers seem to target Android and iOS users differently. On Android, hackers are targeting new cryptocurrency users who do not yet have a legitimate wallet application installed on their devices. That is, if the official wallet is already installed on an Android smartphone, the malicious app cannot overwrite it because the key used to sign the fake app is different from that of the legitimate app. This is the standard Android app security model, where non-genuine versions of an app cannot replace the original.
However, on iOS, the victim can have both versions installed – the legitimate one from the App Store and the malicious one from a website.
Eset researchers have advised users to only download and install apps from official sources such as Google Play Store or Apple’s App Store. For iOS devices, downloading apps only from the official app store, taking extra care in accepting configuration profiles, and avoiding jailbreak on this platform are the most recommended prevention recommendations.