Eset security researchers have uncovered a fake app in Google Playstore whose creator aimed for the crypto credits of careless users. The app was an Android version of the browser add-on Metamask, which allows the use of web services with blockchain backend – so-called Dapps. The malware should steal credentials such as seeds and private keys to Ethereum. It should also monitor whether Bitcoin or Ethereum addresses end up in the clipboard and replace them with malware creator addresses. Cryptogeld addresses usually consist of longer strings that are not optimized for human readability. In a transaction, most crypto-user users copy and paste the destination addresses into the wallet application. If, unnoticed, a false address is underlined and the transaction is finally recorded in the block chain, users have virtually no opportunity to retrieve the money.
According to Eset, it is the first known clipper – so called malicious software that manipulates the clipboard – which has found its way into Google’s Play Store. Shortly after appearing in the Playstore on the first of February, the fake app was discovered and reported to Google’s security team, which immediately removed the malware. It was also not the first malware in the Playstore, posing as Metamask. It seems worth comparing this with the official site of the project. So far, there are still no mobile applications recorded there. The Eset researchers have also publicized the addresses that should underline the malware users. It is the Bitcoin address 17M66AG2uQ5YZLFEMKGpzbzh4F1EsFWkmA and the Ethereum address 0xfbbb2ef692b5101f16d3632f836461904c761965. Both have not registered any cash receipts this year. The fake app was probably leaked fast enough before anyone could fall into the trap.