Bitcoin wallet addresses do not appear to be something that one can learn and type manually – like a bank account number. They are a long string of random characters which users prefer to copy-and-paste whenever they want to initiate/request money transfer. At the same time, it is evident that not many looks into those pasted bitcoin addresses for potential anomalies.
Well, they should start looking.
Copy, Paste and Steal
Google Play recently hosted a malicious app which was stealing bitcoins from victims’ smartphones. A researcher with Eset found that “clipper,” as the malware is called, was intercepting the content of the clipboard to monitor copied bitcoin addresses. It was then replacing the originally copied bitcoin address with its own. As a result, victims were sending their digital currencies to an address associated with the hackers.
In particular, the malware researchers found had a history of smartphone attacks. Android/Clipper.C was reportedly imitating a genuinely legitimate service known as MetaMask. Primarily, the malware’s purpose is to steal victims’ credentials and private keys to gain control over his Bitcoin and Ethereum wallet. However, Clipper.C could also manipulate clipboards to replace copied crypto wallet addresses.
“This attack targets user who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node,” wrote Lukas Stefanko, a researcher with Eset. “However, the service currently does not offer a mobile app – only add-ons for desktop browsers such as Chrome and Firefox.”
Stefanko and his team spotted the malware on February 1, 2019, and soon reported it to Google Play security team. As a result, the malware was removed.
Repeated Use of MetaMask among Hackers
MetaMask is a plugin which allows users to interact with Ethereum websites. It enables users to create their 12-word passphrase at the time of installation. This seed word becomes the responsibility of users, mainly because losing it means losing access to crypto wallets.
Recently, MetaMask has become a center of attraction among hackers for the same reason. The lack of education creates security loopholes. It is evident in the malware case as discussed above, in which victims blindly believe an application that imitates MetaMask. The same has happened earlier where MetaMask imitators attempted to steal from the users of websites such as BTC Manager, Games Workshop and Trakt TV.
“The affected sites appear to all use Cloudflare to configure their DNS settings, and this appears to be where the attacker is redirecting the sites to their own imposter sites,” the attacked found at the time of the attack. “Since this has affected multiple sites, if you are using Cloudflare, you should be extra vigilant. Some of the sites had 2FA for all of their users, but the settings were updated by API using their API keys.”
Download CoinStats’ cryptocurrency portfolio management app for more updates.