Threat Management, Threat Management, Malware

‘Clipper’ malware that alters crypto wallet addresses slips into Play Store

Google's Play Store unknowingly hosted a fake cryptocurrency app that actually modifies users' crypto wallet addresses once they're copied to the clipboard, researchers are reporting.

This Android-based "clipper" malware, as it's called, secretly changes the wallet address to one hosted by the attackers, allowing them to steal victims' digital coin transactions, explains ESET researcher Lukas Stefanko in a Feb. 8 company blog post.

Clipper malware first came to light in 2017, and found its away into unofficial third-party app stores by 2018, but this is the first-ever case of it sneaking into the Play Store, ESET claims.

Dubbed, Android/Clipper.C, the malware impersonates MetaMask, a legitimate service that allows cryptocurrency users to run Ethereum decentralized apps in a browser without running a full Ethereum node. But here's the problem: MetaMask in real life doesn't actually have an Android app -- only browser-based apps.

"Several malicious apps have been caught previously on Google Play impersonating MetaMask," Stefanko states in his blog post. "However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds," rather than changing content saved to clipboards.

In this case, Android/Clipper.C malware acts has dual functionalities: It can steal victims' credentials and private keys for accessing their Ethereum funds, or it can alter Ethereum and Bitcoin wallet addresses whenever they're saved to an infected device's clipboard. The clipper technique is effective, Stefanko explains, because users frequently cut and paste their long, complicated wallet addresses rather than having to type them out.

ESET says the clipper was added to the Play Store on Feb. 1, adding that Google promptly removed the malware after ESET researchers notified them of the phony app.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.