Researchers have uncovered dozens of trojanized cryptocurrency wallet apps performing malicious activities. The goal of these apps is to steal cryptocurrency funds, especially from Chinese users.
The fake apps operation
ESET researchers have revealed over 40 copycat websites of popular cryptocurrency wallets.
- These impersonated websites are promoted via ads placed on legitimate sites, along with adverts posted in various Telegram and Facebook groups.
- The malicious apps act differently based on the target’s operating system, specifically smartphone devices running Android or iOS.
- For both platforms, downloaded apps work as fully working wallets and victims would not notice any difference.
- The attackers have most probably repackaged the legitimate wallet apps with additional malicious code.
Some of the malicious apps send secret victim-seed phrases to the attackers’ server using an unsecured HTTP connection. Thus, the attackers can eavesdrop on the victims.
Timeline of the campaign
Researchers were able to trace the campaign back to May 2021.
- The attackers started creating dozens of Telegram groups advertising fake cryptocurrency mobile wallets apps from May 2021.
- These Telegram groups were advertised on 56 Facebook groups with the goal of recruiting or hiring more distribution partners for the apps.
- In November 2021, the distribution of malicious wallets was discovered using two genuine Chinese websites.
According to sources, the cybercriminals behind this scheme are most likely operating from China.
The growing popularity of cryptocurrencies is motivating cybercriminals to create fake wallet apps. Smartphone users are suggested to stay vigilant and use genuine mobile wallets and exchange apps downloaded from official app stores explicitly associated with their official websites.