Malicious apps are being used to steal crypto from iOS and Android users

Phone malware
(Image credit: Shutterstock)

The antivirus maker and internet security firm ESET has uncovered a sophisticated malicious cryptocurrency scheme that has been targeting mobile users on Android and iOS since May of last year.

The scheme itself is believed to be the work of one criminal group and it uses malicious apps distributed through fake websites in order to steal Bitcoin and other cryptocurrencies from unsuspecting users. These malicious apps mimic popular cryptocurrency wallets including Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken and OneKey.

Those behind the scheme use ads placed on legitimate websites with misleading articles to promote the fake websites that distribute these copycat wallet apps. However, the cybercriminals have also recruited intermediaries through groups on Telegram and Facebook. While the main goal of the scheme is to steal users' funds, ESET Research has mainly observed Chinese users being targeted but with cryptocurrencies becoming more popular, the firm's security researchers expect the techniques used in it to spread to other markets. 

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.

>> <a href="" data-link-merchant=""" target="_blank">Click here to start the survey in a new window <<

The ESET researcher who discovered the scheme, Lukáš Štefanko provided further insight on how it works in a press release, saying:

“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection. This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network. We also discovered 13 malicious apps impersonating the Jaxx Liberty wallet. These apps were available on the Google Play store.”

An elaborate scheme

Beginning in May of last year, ESET's security researchers discovered dozens of trojanized cryptocurrency wallet apps.

What sets this scheme apart from other crypto scams though is the fact that the author of the malware carried out in-depth analysis of legitimate crypto apps in order to insert their own malicious code in places where it would be hard to detect. At the same time, they also ensured that the fake apps they created had the same functionality as the originals.

ESET found dozens of groups promoting malicious copies of cryptocurrency wallets on Telegram since May of 2021. Beginning in October of last year, these same Telegram groups were shared and promoted in at least 56 Facebook groups to look for even more distribution partners. Then in November, ESET spotted these fake cryptocurrency wallet apps being distributed on two legitimate Chinese websites.

These malicious apps also behave differently on Android and iOS. On Android they target new cryptocurrency users that don't already have a wallet app installed on their devices while on iOS, the victims can have both a legitimate and a malicious wallet app installed.

As the source code of this scheme has been leaked and shared on several Chinese websites, it could attract other cybercriminals to spread it even further. For this reason, users interested in buying, selling and storing cryptocurrencies should only download crypto wallet apps from either the Apple App Store or the Google Play Store.

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.