Malware, Threat Management

New backdoor cloning campaign sneaks into mobile wallets, steals cryptocurrency

Confiant researchers reported finding malware used to steal cryptocurrency via backdoor versions of Apple iOS and Android Web3 wallets. Pictured: A poster with the Bitcoin logo is on display at the Thailand Crypto Expo on May 14, 2022, in Bangkok. (Photo by Lauren DeCicca/Getty Images)

A new malware campaign has just been uncovered that sends fraudulent versions of legitimate sites to mobile wallets, in order to ultimately steal users’ cryptocurrency.

Digital advertising security company Confiant reported in a June 12 blog that it found a widespread campaign where “backdoor versions” of Apple iOS and Android Web3 wallets have been breached by cloned ads for real web sites. When the fraudulent links are downloaded by a user, the malware not only compromises the use of the real financial applications, but exfiltrates “seed phrases” that are then used to abscond with cryptocurrency held by the victims, the blog said.

Researchers said that Seaflower is “the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group,” according to Confiant’s blog.

“Cryptocurrency is rapidly becoming a battlefield for global cyber actors who target crypto owners through multiple channels,” said Chris Olson, co-founder and CEO of The Media Trust, a digital privacy provider. “While many are waking up to the danger of email-based phishing scams, few are prepared for SEO and web-based attacks that target internet traffic and mobile users.”

While it is still unclear who is responsible for mounting what appears to be this very slick malware campaign, Confiant estimated that it is likely a Chinese cybercriminal group, since much of the data connected to the malware is in Chinese and it contains Chinese and Hong Kong-based IP addresses. Indeed, this trojanized malware activity was called “Seaflower” because by following the path of one the injected files, researchers found the macOS username “Zhang Haike,” which in turn led to many Chinese-speaking references, including a character in a Chinese novel called “Tibetan Sea Flower.” SeaFlower campaigns have been identified as going as far back as March 2022.

The research indicated that currently SeaFlower is mainly focused on “modify[ing] web3 wallets with backdoor code that ultimately exfiltrates the seed phrase,” targeting Coinbase, MetaMask, TokenPocket and imToken wallets in particular. Although the Confiant blog also noted that all those wallets can be used safely, “but like any other good and very popular software, they are exposed to modding, reverse engineering, and backdoors.”

James McQuiggan, security awareness advocate at KnowBe4, pointed out that “going after the money is the No. 1 target for cybercriminals.”

And the more sophisticated groups are constantly innovating, “finding new ways to target cryptocurrency ... like doppelganger webpages. Cybercriminals are creating copies and making the wallet appear legitimate when they've designed them to steal credentials and access information,” McQuiggan added. “Since crypto wallets are not federally protected, if a cybercriminal gains access to someone's crypto wallet or account, they can quickly move the funds to their accounts.”

Hence, applications should only be downloaded from reputable online stores like the Apple App Store or Google Play Store to reduce the risk of installing malicious applications designed to steal from the user,” McQuiggan advised.

For his part, Olson encouraged caution among NFT and crypto users. “This incident has three implications: First, web and mobile devices are growing as threat surfaces. Second, foreign actors can leverage those surfaces to target users around the world. Finally, Web3 may be vulnerable to the same threats that have made Web 2.0 unsafe for years, unless early adopters of the technology commit to minimal standards of digital safety and trust.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.