The Malware That Swaps Your Address And Drains Your Wallet

Since at least 2017, cybercriminals have been deploying a type of malware known as “Clipper” malware, which hijacks a user’s clipboard and replaces a destination crypto address with the malicious hacker’s crypto address. It’s a devious attack.

You might copy and paste an address, thinking that you’re about to pay your friend, but you’re actually transferring funds to an attacker. You may not notice because crypto addresses are long and hard to read. When you’re comparing character by character, your eyes start to blur over. “Why even finish reading?” you ask yourself. “It’s probably the same address, anyway.”

This attack is not especially common, but it does happen in both Bitcoin and Ethereum, and it’s important to be aware of it. Because sometimes you actually are infected, and the addresses are not the same.

The Clipper malware first started out in 2017 and was spotted on the Windows platform before appearing on underground hacking forums for sale in August 2018.

Research at ESET even discovered Clipper malware hosted on download.cnet.com, one of the most popular software-hosting sites in the world.

In February 2019, ESET found an active Clipper lurking in the Google Play store, which impersonated MetaMask, one of the most regularly used crypto wallets. ESET security solutions detected the app as Android/Clipper.C. The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds. However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker.

Figure 1. Android/Clipper.C impersonating MetaMask on Google Play

This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node.

Several malicious apps have been previously discovered to be impersonating MetaMask on Google Play. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds.

This first appearance of Clipper malware on Google Play serves as another imperative for Android users to stick with the best practices for mobile security.

To stay safe from Clippers and other Android malware, we advise crypto users to:

• Keep your Android device updated and use a reliable mobile security solution
• Stick to the official Google Play store when downloading apps. However, always check the official website of the app developer or service provider for the link to the official app. If there is not one, consider it a red flag and be extremely cautious of the results of your Google Play search
• Double-check every step in all transactions that involve anything valuable, from sensitive information to money. When using the clipboard, always check if what you pasted is what you intended to enter

P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.