Researchers at ESET have discovered a new strain of cryptocurrency-stealing malware dubbed the ‘Clipper’ on Google Play Store. The findings were reported to the Play Store team which quickly took down the app on February 1st.
Clipper was found hidden inside an Android app which was impersonating a legitimate service known as MetaMask — a browser extension which allows Ethereum-based apps to run on a browser without running a full Ethereum node. The app itself was fake as MetaMask doesn’t have a mobile application yet.
— MetaMask (@metamask_io) February 9, 2019
The malware uses a very simple trick to steal cryptocurrency. Since cryptocurrency values are stored in a long, unique string of characters known as a wallet, a sender needs to enter the recipient’s wallet address in the app to make a transaction.
Instead of manually typing these long and complicated addresses, users generally copy and paste them — this is where Clipper steps in. It monitors the system’s clipboard and looks for values that look like a target address.
On detection, it changes the address to the malware author’s address and if the victim completes the transaction without noticing the change, the currency gets deposited in the attacker’s account instead.
Given that Clipper leverages the clipboard, it is also capable of stealing user’s credentials and private keys when they are copied on the clipboard. After gaining hold of this information, they can simply impersonate the user to transfer funds directly and irreversibly.
This is why cryptocurrency users are advised to store most of their balance in offline cold-storage wallets, and only keep a minimum balance on mobile wallets for daily transactions.