Clipper Cryptowallet Switcher Trojan App, Quickly Deleted From Google Play Store
It is once again highlighted in the news, the need for Android users to only source their apps from the official Google Play Store. This is in the wake of Google’s removal of a fake DApp MetaMask from Google Play, as it is loaded by ‘Clipper’, a known trojan that steals cryptocurrency wallet addresses. Google Play Store does not have a perfect procedure in vetting newly submitted apps from developers, but it is better than randomly downloading .apk files from websites.
Once installed, the Clipper trojan monitors the Android clipboard and automatically switch the crypto wallet, hence the virus author itself gets to receive the fund transfers. “The clipper we found lurking in the Google Play store, detected by ESET security solutions as Android/Clipper.C, impersonates a legitimate service called MetaMask. The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds. However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker,” explained Lukas Stefanko.
The good news is Google has actioned it as quickly as possible, the app containing the trojan has been removed from the Play Store almost immediately. The offending app was initially detected as uploaded to the Play Store just last Feb 1, 2019. The danger imposed by this malware is encompassing, even beyond the mobile platforms, as the trojan can be repackaged to infect a PC, or even an iOS as a browser-based cryptocurrency mining trojan.
“This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app – only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds,” added Stefanko.
The trojan uses the following BTC Address and ETH wallet address in order to swap for the user’s legitimate crypto wallet.
It is not rocket science to on-the-fly change the genuine user’s cryptowallet to the wallet of the virus authors:
BTC address: 17M66AG2uQ5YZLFEMKGpzbzh4F1EsFWkmA
ETH address: 0xfbbb2EF692B5101f16d3632f836461904C761965
Eset has issued the below tips in order to prevent future similar infection in the Android platform: (Direct quote from their site)
- Keep your Android device updated and use a reliable mobile security solution
- Stick to the official Google Play store when downloading apps…
- …however, always check the official website of the app developer or service provider for the link to the official app. If there is not one, consider it a red flag and be extremely cautious to any result of your Google Play search
- Double-check every step in all transactions that involve anything valuable, from sensitive information to money. When using the clipboard, always check if what you pasted is what you intended to enter.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.