A new form of cryptocurrency-stealing malware has been identified in the Google Play store. Dubbed ‘clipper’ malware, it was discovered inside an app impersonating MetaMask—a full browser extension which allows Ethereum-based apps to run on a browser without running a full Ethereum node.
Clipper malware works by taking advantage of the copy-paste feature. Crypto apps are especially vulnerable because they require that users input long and complicated cryptocurrency addresses. The malware then monitors the clipboard of the infected system and identifies values that look like a wallet address.
Once identified, the malware swaps the victim’s address for the hacker’s address. If the victim completes the transaction without noticing the change, the crypto gets deposited in the attacker’s account instead.
This malicious app was discovered by cybersecurity company Eset and is the first known app of its kind to pass Google’s vetting procedures.
Malware and other software targeted at cryptocurrency users has become increasingly prevalent because of the ease of monetary gain via stealing crypto, especially when compared to other methods such as data ransom and identity fraud which tend to be more labor intensive
There has been much discussion about what has now been dubbed as ‘crypto-jacking’ which is coin mining that is done using the computing power of other people’s machines. This form of hacking hit mainstream media when it was discovered on popular torrent site The Pirate Bay, which was using a web browser miner called CoinHive.
Another crypto-jacking attack is performed via email, where a user is phished and malicious mining software is installed on the victim’s computer.