13 Apps Removed As Researchers Uncovers Trojan Crypto Wallet Scheme

The trojan scheme has reportedly been in operation since May 2021, and it is targeted at Chinese users via fake websites and social media groups.

A “sophisticated scheme” that disseminates Trojan programs disguised as popular Bitcoin wallets has been discovered by cyber security firm ESET.

The harmful method targets mobile devices running on the Android or Apple (iOS) operating systems, which can be infected if the user installs a false program.

According to ESET’s research, malicious programs impersonate real crypto wallets such as MetaMask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey and are distributed through fraudulent websites.

The business also uncovered 13 malware apps on the Google Play Store that imitated the Jaxx Liberty wallet. The offending apps, which had been downloaded over 1,100 times, have subsequently been removed by Google, but there are still many more hiding on other websites and social media platforms.

The threat actors spread their wares using Facebook and Telegram groups to steal crypto assets from their victims. Since May 2021, ESET claims to have discovered “dozens of trojanized bitcoin wallet apps.” It also noted that the plan, which it believes is the work of a single gang, was largely aimed at Chinese consumers using Chinese websites.

Other threat vectors, according to Luká tefanko, the researcher who deciphered the method, include delivering seed phrases to the attacker’s server across insecure connections, and adding:

“This means that victims’ funds could be stolen not only by the operator of this scheme but also by a different attacker eavesdropping on the same network.”

Depending on where the fake wallet apps are installed, they operate differently. It targets a new cryptocurrency that the user may not have traded before, encouraging the user to download the required wallet on Android. On iOS, however, the apps must be downloaded using arbitrary trustworthy code-signing certificates to avoid Apple’s App Store. This means that the user can have two wallets installed at the same time, one real and one Trojan, but this is less of a risk because most users rely on App Store verification for their apps.

ESET urges cryptocurrency users and traders to only download wallets from reputable sites that are linked to the crypto exchange or the company’s official website.

Google Cloud announced the Virtual Machine Threat Detection (VMTD) technology in February, which checks for and identifies “cryptojacking” malware that uses resources to mine digital currencies.

Cryptojacking accounted for 73 percent of the total value received by malware-related wallets and addresses between 2017 and 2021, according to a January Chainalysis research.