Prices for cryptocurrencies are extremely volatile. This is why many people are betting their chances to become filthy rich.
And to make that happen, many are doing filthy things. And among the ways, include creating apps to rob cryptocurrency owners out of their possession. And this is what exactly happened, as researchers at ESET have found.
According to the researchers, a sophisticated malicious scheme has been happening on both Android and iOS, where malicious actors are primarily targeting Chinese users by distributing malicious copycat wallet apps that mimic legitimate digital wallet services to siphon cryptocurrency funds.
"These malicious apps were able to steal victims' secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey," said Lukáš Štefanko, senior malware researcher at ESET in a report.
The wallet services in question have been distributed through a massive network of over 40 counterfeit wallet websites that are promoted with the help of misleading articles posted on legitimate Chinese websites.
The marketing didn't stop there, as according to the Slovak cybersecurity company, the malicious actors also used Telegram and Facebook Groups to grab further attention, in an attempt to trick unsuspecting users into downloading the malicious apps.
"Based on the information acquired from these groups, a person distributing this malware is offered a 50 percent commission on the stolen contents of the wallet," ESET noted.
According to the researchers, the developers of the malicious apps managed to replicate legitimate wallet apps, to give them the same functionality of their original counterparts.
The fake wallets "looked at some good, legitimate applications and copied the code for their own malicious purposes."
But at the same time, the apps were laced with a malware that can enable the theft of users' cryptocurrency assets.
"These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers' server using an unsecured HTTP connection," explained Štefanko said. "This means that victims' funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network."
On Android, the malicious wallet apps are aimed at cryptocurrency users who do not yet have any of the targeted wallet apps installed. On iOS however, the victims can have both versions installed.
While the malicious apps were found on Google Play Store, they are not found on Apple's App Store.
To have the apps installed on the iOS ecosystem, the actors make victims visit one of their malicious websites using configuration profiles that make it possible to install apps that are not verified by Apple and from sources outside the App Store.
The researchers at ESET have been tracking this campaign since May 2021.
They've attributed it to a single criminal group.
"Their goal was simply to tease out the user's recovery seed phrase and send it either to the attackers' server or to a secret Telegram chat group," Štefanko said.
With the threat actors behind the operation actively recruiting partners through social media and messaging apps and offering them a percentage of the stolen digital currency, ESET warns that the attacks could spill over to other parts of the world in the future.
"Moreover, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread this threat even further," Štefanko added.
Cryptocurrency has been booming, and many new investors are trying to find what's best for them beyond the more well-known Bitcoin and Ethereum.
Scammers know this too well.
As soon as they see the influx of new investors, scammers realize that they are having a much larger field of victims to target.
"In the future, we might expect an expansion of this threat, since threat actors are recruiting intermediaries through Telegram groups and Facebook to further distribute this malicious scheme, offering them a percentage of the cryptocurrency stolen from the wallets," ESET said.
"Moreover, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread this threat even further."