The expert analysts and researchers at ESET have just discovered the very first known instance of a new strain of crypto–stealing malware on the Google Play Store. This is called a “clipper.”
Google Play Store took the app down
They have reported the findings to the security team at the Google Play Store, and they quickly took down the malicious app.
Hothardware notes that “The attack uses a remarkably simple trick to part users with their digital funds. Cryptocurrency values are assigned to a long, unique string of characters known as a wallet. In order to make a transaction, a sender typically needs to enter the recipient’s wallet address in their app.”
They continue and explain that “This is similar to how you would put a real-world address on an envelope in order for it to be delivered to the correct location.”
It’s important to know that users will almost never enter the long addresses and they usually prefer copy-pasting them. This is where the clipper malware reportedly steps in.
How does this work?
After you install it, the malware will be monitoring the system’s clipboard.
Once something that looks like a target address is discovered, it changes it to an address operated by the control of the malware.
If the user then decides to submit the transaction without noticing this change, the attacker basically receives all the currency instead.
Clipper is even worse because it’s also able to steal a user’s credentials and private keys off the clipboard.
After the hacker has all the data, they can impersonate the user to siphon funds irreversibly.
This is why crypto experts have been recommending users to store their balance in offline cold storage.
It seems that the malware has been lurking around since back in 2017 and it targeted Windows users. Android variants popped up back in 2018, and the latest malware seems to have been able to sneak in the Store.