Security Experts Blow the Top off Mobile Wallet App Scam Targeting Chinese Users

Cybersecurity researchers at Slovak cybersecurity firm ESET have peeled back the layers of a sophisticated cryptocurrency scam targeting Chinese users.

The scammers created counterfeits of legitimate Android and iOS digital wallet applications to redirect cryptocurrency funds. “These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey,” reported senior researcher at Slovak cyber security firm ESET, Lukáš Štefanko. Trojan horse apps targeted Android users without a genuine app. In contrast, iOS users could have installed authentic and counterfeit apps.

The counterfeit wallet services were promoted via fake wallet websites targeting Chinese users and recruiting intermediaries through Telegram and Facebook groups to dupe visitors into downloading the app.

When did it start?

Investigations beginning in May 2021 revealed a single criminal group as the individuals responsible for creating “trojan horse” wallet services that copied the functionality of the original applications, incorporating malicious code responsible for redirecting crypto assets. The malicious code was injected into the app in places that would escape cursory examination.

“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection,” said Štefanko. This presents a secondary threat since other criminals eavesdropping on this unsecured link could steal the seed phrases.

Hack can spread, warns expert

ESET found multiple groups promoting the trojan horse applications on Telegram, the messaging application and sharing them on 56 Facebook groups. All communication on the Telegram groups was done in Chinese. Individuals promoting these applications were promised a 50% cut of the stolen crypto.

The fake iOS applications were not available on the Apple App Store but rather through malicious sites and used configuration profiles unauthorized by Apple. Thirteen fake Android apps masquerading as Jaxx Liberty Wallet on Google’s Play Store were removed from the marketplace by Jan. 2022, not before…