Cybersecurity researchers at Slovak cybersecurity firm ESET have peeled back the layers of a sophisticated cryptocurrency scam targeting Chinese users.
Scammers have created counterfeit legitimate Android and iOS digital wallet apps to redirect cryptocurrency funds. “These malicious apps were able to steal victims’ passphrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket or OneKey,” reported Lukáš Štefanko, senior researcher at Slovak cybersecurity firm ESET. Trojan apps targeted Android users without a genuine app. On the other hand, iOS users might have installed genuine and counterfeit apps.
The counterfeit wallet services were promoted via fake wallet websites targeting Chinese users and recruiting intermediaries through Telegram and Facebook groups to dupe visitors into downloading the app.
When did it start?
Investigations beginning in May 2021 revealed a single criminal group as individuals responsible for creating “Trojan horse” wallet services that copied the functionality of the original apps, incorporating malicious code responsible for redirecting assets cryptographic. The malicious code was injected into the app in places that would escape a superficial examination.
“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection,” said Štefanko. This presents a secondary threat since other criminals eavesdropping on this unsecured link could steal the seed phrases.
Hacking can spread, warns expert
ESET found several groups promoting the Trojan apps on Telegram, the messaging app and sharing them on 56 Facebook groups. All communication on Telegram groups was in Chinese. People promoting these apps have been promised a 50% cut of stolen crypto.
The fake iOS applications were not available on the Apple App Store but rather through malicious sites and used configuration profiles unauthorized by Apple. Thirteen fake Android apps masquerading as Jaxx Liberty Wallet on Google’s Play Store were removed from the marketplace by Jan. 2022, not before being installed over 1000 times. Štefanko said the apps tried to steal the user’s recovery seed phrase and then forward them to a server or a Telegram group.
ESET warns users of the possibility that the hack affects other parts of society. “Furthermore, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread this threat even further,” Štefanko added.
