The malware, described as a “Clipper,” masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging to attackers, ESET researcher Lukas Stefanko explained in a blog post.
Since cryptocurrency wallet addresses are made up of long strings of characters for security reasons, users usually prefer copying and pasting the wallet addresses using the clipboard over typing them out.
The newly discovered clipper malware, dubbed Android/Clipper.C by ESET, took advantage of this behavior to steal users cryptocurrency.
To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called MetaMask, claiming to let users run Ethereum decentralized apps in their web browsers without having to run a full Ethereum node.
Officially, the legitimate version of MetaMask is only available as a web browser extension for Chrome, Firefox, Opera, or Brave, and is not yet launched on any mobile app stores.
However, Stefanko spotted the malicious MetaMask app on Play Store targeting users who want to use the mobile version of the service by changing their legitimate cryptocurrency wallet address to the hacker’s own address via the clipboard.
As a result, users who intended to transfer funds into a cryptocurrency wallet of their choice would instead make a deposit into the attacker’s wallet address pasted by the malicious app.
“Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds,” Stefanko said.
“Android Clipper targeted Bitcoin and Ethereum cryptocurrency addresses when being copied in to clipboard and replaced them with the attacker’s wallet address. Once this transaction is sent, it can not be canceled.”
Stefanko spotted the malicious MetaMask app, which he believes was the first Android Trojan Clipper to be discovered on Play Store, shortly after its introduction to the app store on February 1.
Google took down the malicious app almost immediately after being notified by the researcher.