Source code for a crypto wallet app scam is openly available, while even an official app store hosted trojanized wallet apps…

Users of wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey—whether your smart device is Android or iOS based, be informed that trojanized versions of the associated wallet apps can circumvent typical cybersecurity measures.

A sophisticated malicious cryptocurrency scheme has been discovered targeting crypto wallet users by luring them to download or update the wallet app from over 40 “copycat” (i.e., fake) websites that emulate the legitimate websites.

In turn, these fake websites are promoted with ads placed on legitimate sites through misleading articles or clickbait.

Once the malicious versions of wallet apps are installed, the users’ funds are as good as gone.

Until now, ESET Research, which disclosed their investigations of this scheme, has seen this scheme mainly targeting Chinese users. However, as cryptocurrency usage is gaining popularity, the firm expects this scheme and related techniques to spread to other markets. Moreover, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread this threat even further.

Multiple avenues of attack

Trojanized apps do not always have to be hosted on spoofed websites. According to the firm’s researcher Lukas Stefanko, who discovered the scheme: “We also discovered 13 malicious apps impersonating the Jaxx Liberty wallet. These apps were available on the Google Play Store.” Google had to be informed before they removed the malicious applications. This implies that new malicious apps may continue to be added to the platform without being noticed.

For iOS users, the malicious apps were not currently available on the App Store, but can be downloaded and installed via configuration profiles that add an arbitrary trusted code-signing certificate. Such configuration profiles can lurk in email attachments, phishing websites and as files on web pages. One iOS users are tricked into installing the configuration profile, it is Game Over.

Another avenue for luring crypto wallet users is messaging platforms. On Telegram, ESET has found dozens of groups promoting malicious copies of cryptocurrency mobile wallets. Starting in October 2021, these Telegram groups were shared and promoted in at least 56 Facebook groups with the same goal – to search for more distribution partners. In November 2021, two legitimate Chinese websites were spotted distributing malicious wallet apps.  

Besides these distribution vectors, dozens of other counterfeit wallet websites are targeting mobile users exclusively.

No mobile platform is spared

The trojanized wallet apps attack both Android and iOS devices, and they have the same functionality as the original apps. However, depending on the operating system they are installed in, the malicious apps behave differently.

On Android, the apps appear to target new cryptocurrency users that do not yet have a legitimate wallet application installed on their devices. On iOS, the victims can have both versions installed: the legitimate one from the App Store and the malicious one from a malicious website.

At this point, ESET believes that this scheme is likely the work of one criminal group. Added Stefanko: “These malicious apps also represent another threat to victims. As some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection, this means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network!”