ESET’s researchers discovered the first Android malware that can replace the contents of the clipboard of a device in GooglePlay. The so-called “clipper” targets Bitcoin and Ethereum encryption transactions, aiming to redirect the transfer of funds to the attacker’s wallet instead of the victim.
“This discovery shows that clippers, which can redirect amounts of encryption, are no longer found in Windows or in “suspicious” Android forums. Now, all Android users must be careful”,
comments ESET’s Malware Researcher Lukáš Štefanko.
The newly discovered clipper is detected by ESET’s security solutions as Android/Clipper.C.
This malware exploits the fact that those who use cryptographic transactions do not usually manually enter the addresses of their electronic wallets. Rather than typing them, users tend to copy and paste the addresses using the clipboard. Malicious software can replace the user’s address with one belonging to the attacker.
The clippers first appeared on Windows in 2017. In 2018, ESET researchers discovered three such malicious applications at “download.cnet.com,” one of the most popular software hosting sites in the world. In August 2018, it was discovered the first Android clipper to be sold in hacking forums and since then, this malware has been detected in many illegal application stores.
By 2019, Android users who only used the official Google Play app store were completely safe from clippers. This changed in February 2019 when ESET researchers discovered the first clipper on GooglePlay.
“Fortunately, we detected this clipper as soon as it appeared on Google Play. We mentioned this in the GooglePlay security team, which removed the app from the store”,
says Lukáš Štefanko.
The clipper discovered by ESET researchers at the GooglePlay store imitates a legitimate service called MetaMask. The MetaMask allows performing of Ethereum decentralized applications in a browser without having to run the entire node of Ethereum. It is available as extensions only for desktop browsers, such as Chrome and Firefox, and there is no mobile version.
“There seems to be a demand for a version of MetaMask for mobile. Cybercriminals are aware of this demand and are importing sneaky malware that mimics this service in GooglePlay”,
warns Lukáš Štefanko.
Also, this old malware mimics MetaMask targeting users’ Bitcoin or Ethereum deposits, however, trying only to deceive the user from entering the wallet address into a fake form and thus revealing this sensitive information to the attacker.
“Having installed a clipper on the victim’s device, posting money is easy. The victims themselves inadvertently send their money directly to the cybercrime”,
explains Lukáš Štefanko.
With the emergence of malware clipper for the first time on GooglePlay, Android users should be even more cautious and follow the best practices for their mobile phone security.
To stay safe from clippers and other malware targeting Android, ESET advises usersto:
- Keep their Android device up to date and use a reliable mobile security solution.
- Only use the official GooglePlay store to download apps …
- … but always checking the application developer’s official website or service provider for the link that leads to the official application. If nothing is relevant, users should consider it suspicious and be especially careful with any search result on GooglePlay.
- Check thoroughly every step in all transactions that are related to anything of value, from sensitive information to money. When they use the clipboard, they always check if what they pasted is what they wanted to import.