Cybersecurity firm ESET has exposed a malicious bug, reporting in an official blog post (Feb 8) that it had discovered crypto malware lurking in a fake MetaMask app available on Google Play, the official Android app store.
The malware named Android/Clipper.C has been designed to steal crypto from users who download and use the MetaMask app from Google Play to transfer funds. Android/Clipper.C intercepts clipboard content when a user wants to copy and paste a wallet address to forward crypto to. It replaces the original intended address with that of the attacker’s to divert the funds there instead.
“We spotted Android/Clipper.C shortly after it had been introduced at the official Android store, which was on February 1, 2019. We reported the discovery to the Google Play security team, who removed the app from the Store,” ESET wrote on its blog.
Android/Clipper.C impersonates MetaMask, a legitimate service and one of the oldest Ethereum-based decentralized apps around. MetaMask operates as a browser plugin for Firefox or Google Chrome that allows users to make Ethereum transactions through regular websites without needing to run a full Ethereum node.
MetaMask does not have any mobile app version, which is what Android/Clipper.C tried to take advantage of.
ESET noted that methods of pilfering crypto are becoming more sophisticated, and look increasingly authentic. Crypto malware like Android/Clipper.C began appearing in 2017, making its way through Windows platforms and dubious Android app stores before surfacing on Google Play this month.
Several malicious apps have also been caught on Google Play mimicking MetaMask before. However, these merely phished for sensitive information with the aim of gaining access to victims’ crypto funds.
This is not the first time MetaMask has had problems with Google either. Last July, the company’s browser extension was mistakenly removed from the Google Chrome Web Store for five hours before it was restored.
To stay safe from such mobile malware, ESET advises users to keep devices updated, and double-check every step in all crypto transactions – including wallet addresses copied to a clipboard. When copying and pasting account information, ensure that the pasted data matches the copied data, to prevent from falling victim to Clipper-style attacks.
Browser companies are fighting the battle against crypto-centric malware. For example, EWN reported that new features on Firefox will protect users from possible fingerprinting and crypto mining malware.