Cyber criminals are attempting to stealing cryptocurrency from Android and iPhone users by luring them into downloading malicious apps posing as cryptocurrency wallet services.
Cybersecurity researchers at ESET have identified over 40 copycat websites designed to look like those of popular cryptocurrency websites, but that actually trick users into downloading fake versions of the apps containing trojan malware. New cryptocurrency users appear to be targeted in particular. The websites are specifically designed to target mobile users and lure them into downloading the malware.
The attackers use online advertising, posted to legitimate cryptocurrency and blockchain-related websites, to direct traffic to the malicious cryptocurrency wallet downloads.
SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydays
Those behind the attacks – who researchers note communicate in Chinese – also use messaging app Telegram to search for affiliates to help spread the malware, with some of these links also being shared in Facebook groups, complete with step-by-step video tutorials on how the fake wallets work and how to steal cryptocurrency from victims.
Affiliates who help distribute the malware can be offered as much as 50% commission on the stolen contents of cryptocurrency wallets which are successfully compromised.
The malware works differently depending on whether the victim is an iOS or Android user. On Android, it appears to target new cryptocurrency users who do not yet have a legitimate wallet application installed because it's not possible for the malware to overwrite any existing apps on the device because of Android security protocols.
However, on iOS, it's possible for the victim to have both a real app and the fake one installed, so more experienced cryptocurrency enthusiasts could potentially be targeted too, even though in both cases its somewhat cumbersome to download these fake wallets.
SEE: How to keep your bank details and finances more secure online
For Android users, the fake cryptocurrency websites invite the user to 'Download from Google Play', although it actually downloads from the fake site's server. Once downloaded, the app needs to be manually installed by the user. While many of these apps came from third-party sites, ESET researchers say that 13 malicious apps related to the campaign were removed from the Google Play store itself in January.
It's not possible for attackers to upload the malicious apps to Apple's App Store, so instead they're sending potential victims to third-party websites for the downloads. In order to make sure that the malicious apps are successfully installed, alerts and notifications are used to encourage the user to bypass iPhone's default protections and install unverified apps.
Whether it's on Apple or Android, once installed the malware behaves like a fully working cryptocurrency wallet, undisguisable from the real apps.
By inserting malicious code into the app, the attackers can manipulate the content of the app as if it was their own – meaning they can drain the cryptocurrency from the wallet, without the user knowing.
It's believed that the cryptocurrency-stealing campaign remains active. To avoid falling victim to attacks, it's recommended that users only download apps from trusted, official sources as these are most likely to be secure, legitimate apps. It's also recommended that users install anti-virus software on their smartphones to help detect malicious apps and links.
"We would like to appeal to the cryptocurrency community, mainly newcomers, to stay vigilant and use only official mobile wallets and exchange apps, downloaded from official app stores that are explicitly linked to the official websites of such services, and to remind iOS device users of the dangers of accepting configuration profiles from anything but the most trustworthy of sources," said Lukáš Štefanko, ESET researcher.
For users who suspect they may have downloaded a malicious app, researchers urge them to immediately create a brand-new wallet with a trusted device and application, and transfer all funds to it, so attackers can't come back and steal it.