Clipper App Has Been Stealing Cryptocurrency, And Google Play Just Got Caught Hosting It
Google Play has been caught in the past with malicious cryptocurrency apps on its platform, and it seems to have become the host of yet another one – Clipper.
Clipper was designed in an effort to steal from its users in the form of cryptocurrency, according to reports from researchers on Friday. According to a report from ArsTechnica,
“The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers, a researcher with Eset said in a blog post. As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers.”
The malware, though this report is new, has actually been around since 2017, at the latest. The malware went after Windows users back then, though there was a report last year regarding a botnet known as Satori.
Satori was updated at the time to perform essentially the same function, going after computers that mine for cryptocurrency. In August, more information began to circulate about the clipper malware that was being hosted in multiple third-party platforms for downloading the apps.
Concealing the name of the malware, clipper went on to be named MetaMask on Google Play, designed as a browser that makes it possible for Ethereum coins to work on corresponding apps. The goal was to take the credentials of the user, giving the cybercriminal the ability to control the user’s Ethereum cryptocurrency. The wallet addresses of the user were replaced with the attacker’s wallets as well.
One of the researchers on this topic, Lukas Stefanko, explained, “This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app—only add-ons for desktop browsers such as Chrome and Firefox.”
Continuing, the researcher reveals that this app has been on Google Play before, but the effects were not as severe as this instance. He said,
“Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds.”
The app was added to Google Play on February 1st, but the new research forced Google to pull it from their platform. This is the first time that Google Play has been left open to adding the clipper malware to their platform.
However, this is a sign that Google Play is not a trustworthy source to protect users from malware, leaving the user of the device in charge of attempting to filter out the fraudulent applications.
Before downloading any app, it is important to visit the website of the creator to check its validity. MetaMask, for example, shows no information about the app being listed as compatible with Android, which should have been Google’s first sign to not list it.
Another tip that ArsTechnica offers is to focus on using apps that are only 100,000 downloads and above, though this is action alone will not be an adequate was to filter out the apps that could shatter the safety of simply using a smartphone.