Fake MetaMask App on Google Play Store Hosted Crypto Malware

Joanna Estrada
February 12, 2019

Researchers last week found the first Android app on the Google Play store that monitors a device's clipboard for Bitcoin and Ethereum addresses and swaps them for addresses under the attacker's control.

The malware-laden app, discovered by ESET, impersonates a service called MetaMask that provides access to ethereum decentralized applications, or dapps.

The first attack method the app used was to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app.

Worse, Eset researchers said the app contained "clipper" malware.

For those who don't know, addresses of crypto wallets consist of long strings of characters.

The "clipper" apps replace the correct address on the clipboard with the address of the hacker's own virtual wallet, which means that the victim unknowingly could be depositing his bitcoins into the wallet of an unknown thief.

It's worth noting that Google plans to change how Android's copy and paste system works in Android Q. New permissions would restrict when and how apps can access the clipboard and could potentially combat this kind of malware.

Ironically, the malicious app pawned itself off as a legitimate cryptocurrency app called MetaMask, and hit the Play Store on February 1st.

The app was reportedly discovered this month, and Google has since removed it, however, Ars Technica claimed the incident "is yet more evidence that Google can't be trusted to proactively keep malware out of Play".

Unfortunately, there's no full-proof way to detect and avoid malicious apps like this yet. No mention of how many times it was downloaded, but it doesn't appear to have infected a huge number of users. It's also worthwhile to investigate official websites.

Other reports by Click Lancashire

Discuss This Article