Malicious apps are being used to steal crypto from iOS and Android users

Lookalike apps mimic the functionality of popular crypto wallets

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Theantivirusmaker and internet security firmESEThas uncovered a sophisticated malicious cryptocurrency scheme that has been targeting mobile users on Android and iOS since May of last year.

The scheme itself is believed to be the work of one criminal group and it uses malicious apps distributed through fake websites in order to stealBitcoinand other cryptocurrencies from unsuspecting users. These malicious apps mimic popularcryptocurrency walletsincluding Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken and OneKey.

Those behind the scheme use ads placed on legitimate websites with misleading articles to promote the fake websites that distribute these copycat wallet apps. However, the cybercriminals have also recruited intermediaries through groups on Telegram and Facebook. While the main goal of the scheme is to steal users' funds, ESET Research has mainly observed Chinese users being targeted but with cryptocurrencies becoming more popular, the firm’s security researchers expect the techniques used in it to spread to other markets.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a£100 Amazon gift card(or equivalent in USD). Thank you for taking part.

Click here to start the survey in a new window«

The ESET researcher who discovered the scheme,Lukáš Štefankoprovided further insight on how it works in apress release, saying:

“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection. This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network. We also discovered 13 malicious apps impersonating the Jaxx Liberty wallet. These apps were available on theGoogle Play store.”

An elaborate scheme

Beginning in May of last year, ESET’s security researchers discovered dozens of trojanized cryptocurrency wallet apps.

What sets this scheme apart from other crypto scams though is the fact that the author of themalwarecarried out in-depth analysis of legitimate crypto apps in order to insert their own malicious code in places where it would be hard to detect. At the same time, they also ensured that the fake apps they created had the same functionality as the originals.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Cryptocurrency crime hit an all-time high in 2021

The FBI is launching a cryptocurrency crime unit

President Biden is taking a serious look at cryptocurrencies

ESET found dozens of groups promoting malicious copies of cryptocurrency wallets onTelegramsince May of 2021. Beginning in October of last year, these same Telegram groups were shared and promoted in at least 56 Facebook groups to look for even more distribution partners. Then in November, ESET spotted these fake cryptocurrency wallet apps being distributed on two legitimate Chinese websites.

These malicious apps also behave differently on Android and iOS. On Android they target new cryptocurrency users that don’t already have a wallet app installed on their devices while on iOS, the victims can have both a legitimate and a malicious wallet app installed.

As the source code of this scheme has been leaked and shared on several Chinese websites, it could attract other cybercriminals to spread it even further. For this reason, users interested in buying, selling and storing cryptocurrencies should only download crypto wallet apps from either theAppleApp Store or the Google Play Store.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)