Researchers have discovered yet another a cryptocurrency-stealing Android app on the Google Play Store.
It's a new type of malware described as a "clipper," and it steals sensitive information by taking advantage of how users copy and paste cryptocurrency wallet addresses.
Malicious Android App
As Lukas Stefanko of the security company ESET explains in a report, addresses of cryptocurrency wallets are made up of long strings of characters for security purposes. As a result, users would usually copy and paste them using the clipboard as opposed to typing them out. This behavior is what this "clipper" or Android/Clipper.C, as dubbed by ESET, exploits.
Basically, it changes the user's legitimate address to the hacker's own address via the clipboard. In other words, the victim likely wouldn't know that they're, in fact, making a deposit into the attacker's wallet instead of their own.
To trick users into installing it, the app disguised itself as an authentic MetaMask app, which is a service that lets Ethereum dApps to be run on browsers. Officially, MetaMask is available only as a browser add-on for Chrome, Firefox, Opera, or Brave.
On Feb. 1, the researchers reported the app in question to the security team of the Play Store, who then took it down almost immediately.
Online Safety Tips
Stefanko mentions that this kind of malware first started spreading on the Windows platform in 2017 and soon made it to "shady" Android app stores in the summer of 2018. From the look of things, it's circulating on the Play Store in 2019.
At that, other phishing apps that also impersonated MetaMask have already been spotted before on the official Android app marketplace. The takeaway here is that malicious apps such as these are becoming more common by the day, and taking safety measures against them is more of a necessity nowadays.
To steer clear of them, Stefanko recommends to keep smart devices updated and install a trustworthy security app. Downloading apps only through the Play Store might be obvious enough, but considering how this "clipper" malware was hosted on it, users are advised to check whether a developer has an official website or not — needless to say, if there isn't any, then it's more than likely dangerous. Last but not least, double-checking financial transactions and the like can go a long way.