Clipboard Crypto Malware Moves to Android in Search of New Victims
A new piece of malware uses an old PC trick to attack Android cryptocurrency users.
Researchers at ESET Security have discovered a new malware variant invading Android systems. Known as “Clipper,” it uses a trick PC hackers favored in the past, with the software persistently scanning the clipboard for cryptocurrency addresses and replacing the information with the attacker’s address before the victim sends a payment.
The researchers found this software when looking for copycat apps that imitate MetaMask.
“The clipper we found lurking in the Google Play store, detected by ESET security solutions as Android/Clipper.C, impersonates a legitimate service called MetaMask. The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds. However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker,” the researchers wrote.
ESET confirmed that Google Play’s security team had removed the app from the store, but the hackers had at least 18 days in which their copycat ran rampant.
According to the researchers, users running any application package named com.lemon.metamask should remove it as soon as possible because this is an indicator of compromise.
The hackers appear to have made off with nothing. Cryptovest’s scan of their wallet addresses (available through ESET’s announcement) showed no transactions since the beginning of 2019. If the malware was active in December, there is one 0.05 BTC transaction that could be tied to it.
Clipboard viruses were common in PCs, where there is no regulated marketplace for applications. In the middle of 2018, one hacker managed to steal over $700 through such a virus.
Perhaps the most famous example of this particular model is a CryptoShuffler variant known as ComboJack, which was used to swipe 23 BTC in total from several victims. At the time of the report, the coins were worth a combined $150,000.
While Google is vigilant when it comes to the security of Android phones, the open nature of the Google Play store gives hackers opportunities to experiment with attack vectors that would have been more difficult in Apple’s more restricted iOS app marketplace.