Level 52
Content Creator
Malware Hunter
A fake MetaMask app is the first instance of this new type of cryptocurrency stealer appearing outside of shady third-party app stores.

A malicious app designed to steal cryptocurrency from victims by replacing a wallet address in the phone’s clipboard has been discovered harboring the first “clipper” malware discovered on Google Play, the official Android app store.

Usually cryptocurrency-stealers are found on unsanctioned Android app stores, but researchers with ESET on Friday said that they spotted the malicious app (a fake version of the legitimate MetaMask service) shortly after it had been introduced at the official Android store on Feb. 1. The app has since been removed, but anyone who had already downloaded it remains affected.

The app was called MetaMask, like the legitimate service that is designed to run Ethereum decentralized apps in a browser without having to run a full Ethereum node. The real MetaMask however does not actually offer a mobile app currently, only add-ons for desktop browsers such as Chrome and Firefox, researchers said.

Once downloaded on a victim’s system, the clipper malware scoops up content, like cryptocurrency wallets addresses, that have been pasted on the Android Clipboard. Clipboard is an extension in Chrome that lets users seamlessly copy and keep links at hand.

“The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds,” said Lukas Stefanko with ESET in a post. “However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker.”