Crypto malware in patched wallets targeting Android and iOS devices

ESET Research uncovers a sophisticated scheme that distributes trojanized Android and iOS apps posing as popular cryptocurrency wallets

At the time of writing this blogpost, the price of bitcoin (US$38,114.80) has decreased about 44 percent from its all-time high about four months ago. For cryptocurrency investors, this might be a time either to panic and withdraw their funds, or for newcomers to jump at this chance and buy cryptocurrency for a lower price. If you belong to one of these groups, you should pick carefully which mobile app to use for managing your funds.

Starting in May 2021, our research uncovered dozens of trojanized cryptocurrency wallet apps. We found trojanized Android and iOS apps distributed through websites mimicking legitimate services . These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey.

This is a sophisticated attack vector since the malware’s author carried out an in-depth analysis of the legitimate applications misused in this scheme, enabling the insertion of their own malicious code into places where it would be hard to detect while also making sure that such crafted apps had the same functionality as the originals. At this point, we believe that this is the work of one individual attacker or, more likely, one criminal group.

The main goal of these malicious apps is to steal users’ funds and until now we have seen this scheme mainly targeting Chinese users. As cryptocurrencies are gaining popularity, we expect these techniques to spread into other markets. This is further supported by the public sharing, in November 2021, of the source code of the front-end and back-end distribution website, including the recompiled APK and IPA files. We found this code on at least five websites, where it was shared for free, and thus expect to see more copycat attackers. From the posts we found, it is difficult to determine whether it was shared intentionally or if it leaked.

These malicious apps also represent another threat to…