Clipper Malware Exploited the MetaMask App in Google Play Store

Cryptocurrency and its underlying technology, blockchain, are regarded by many as one of the most secure forms of storing wealth – and for good reasons. Blockchain could be used as a sophisticated tool that makes it difficult for cybercriminals to manipulate. Each crypto user is given a unique string of characters that make up a wallet address, and this system is designed in such a way that no two individuals in the block have the same wallet address.

Furthermore, the wallets are so well protected that only an individual with the correct details – which verify him as the proper owner – can access them. However, cybercriminals have been on the lookout for ways to up their game: they have grown from exploiting crypto with malicious malware (especially related to mining) to brazenly manipulating crypto users to transfer cryptocurrencies directly to another wallet. This new form of cybercrime is tagged as “clipper” malware because it involves replacing an already clipped wallet address with the criminal’s wallet address.

Crypto wallet addresses are structured as long strings of characters for security purposes. Wallet owners easily copy & paste their addresses instead of typing the long strings of characters on every transaction. When introduced into a system, the clipper malware pastes the criminal’s wallet address instead of the copied address; consequently, any transaction made would be directed to the pasted address which is now the criminal’s wallet address.

The clipper malware was first discovered in 2017 on the Windows operating system but didn’t really spread broadly until 2018 when it made another appearance on all sorts of Android app stores. It was discovered during an underground sale on a hacking forum and has since metastasized alongside the growth of various app stores; but apparently at some point the malware’s propagation was halted. Just when we thought it was gone for good, the clipper malware has made yet another appearance recently on Google Play Store.

The clipper malware was apparently introduced into the official Android app store, Google Play, in February to mask the services of MetaMask, a desktop-based app designed to run Ethereum dApp without having to run the full Ethereum node.

Android/Clipper.C works as the mobile-based version of MetaMask. In reality, it is designed to copy essential details of the victim’s crypto account such as the private keys and credentials. This information helps them to gain total control over the victim’s Ethereum account. Although MetaMask works on Ethereum only, the clipper version is designed to skirt between Bitcoin and Ethereum. Fortunately, ESET researchers spotted the app and reported the discovery to the Google Play security team. Necessary actions were taken and the app was immediately removed from the Store.

However, Android users are advised to take some precautions to help protect them against these type of cybercriminals.

Sharing Is Caring: