The crypto world is yet again beset by criminal activity as the first clipper malware has been found on Google Play.
Thanks to the research and skills of WeLiveSecurity (part of security software firm ESET), it explains that cryptocurrency stealers replace a wallet address in the clipboard. It was previously limited to Windows or “shady” Android app stores.
The clipper it found lurking in the Google Play store, detected as Android/Clipper.C, impersonates a legitimate service called MetaMask.
The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds. However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker.
WeLiveSecurity says for security reasons, addresses of online cryptocurrency wallets are composed of long strings of characters.
Instead of typing them, users tend to copy and paste the addresses using the clipboard. A type of malware, known as a “clipper”, takes advantage of this.
It intercepts the content of the clipboard and replaces it surreptitiously with what the attacker wants to subvert.
In the case of a cryptocurrency transaction, the affected user might end up with the copied wallet address quietly switched to one belonging to the attacker.
This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in these “shady” Android app stores in the summer of 2018.
There is good news as the firm reported the discovery to the Google Play security team, who removed the app from the store.
Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds.
In terms of advice to stay safe from clippers and other Android malware, WeLiveSecurity recommends keeping Android devices updated and sticking to the official Google Play store when downloading app,
In addition, always check the official website of the app developer or service provider for the link to the official app. If there is not one, “consider it a red flag and be extremely cautious to any result of your Google Play search”.