Malware disguised as cryptocurrency wallets used to steal from iOS and Android users

Malware disguised as cryptocurrency wallets used to steal from iOS and Android users

Cryptocurrency has been booming for a few years now, pulling in a lot of new investors who just want to see what's going on. This has been good for plenty of people and boosted the profiles of tokens beyond the more well-known Bitcoin and Ethereum — but the influx of new investors has also given scammers a much larger field of victims to target, and security researchers with Eset uncovered a complex scheme involving Android and iOS apps that look like well-known cryptocurrency wallets but are actually hiding malicious trojans designed to steal crypto instead.

Eset detailed its research in a post for the firm's We Live Security blog, and what the company discovered revealed in part just how easy it is for cyberattackers to use internet buzz to lure a host of new victims. Beginning in 2021, Eset says it discovered "dozens" of Android and iOS apps that looked like legit crypto wallets such as Metamask or Coinbase — but they were carrying malware payloads and being distributed through sketchy websites that only appeared trustworthy. The malware operators were able to steal the seed phrases of their unwitting victims, giving them access to their real wallets.

It was a cleverly-designed attack. Eset writes that whoever made the malware found in the fake wallets "looked at some good, legitimate applications and copied the code for their own malicious purposes." The offending code was well-hidden and the faked apps even appeared to work as they were supposed to. The individual or hacking team behind the scam even went as far as placing ads on trusted websites. They further expanded their reach by using middlemen found on Telegram and Facebook to lure more victims. Eset also discovered lax security on the cyberattackers' servers created a double threat. The malware sent victim seed phrases over insecure connections which could have allowed not just the operator of the scheme to steal the info, but anyone who might be listening in.

According to Eset, the apps did seem to primarily target Chinese users, but more than a dozen variations on one of them were found in the Play Store alone. Unfortunately, the code used to make the trojanized apps has been leaked and shared, so it's still a threat. If you're looking for cryptocurrency wallet apps, be sure you're downloading from Apple's App Store and that you have Google Play Protect enabled the next time you use the Play Store.

By Steve Huff (

Leave a comment