The attack uses a remarkably simple trick to part users with their digital funds. Cryptocurrency values are assigned to a long, unique string of characters known as a wallet. In order to make a transaction, a sender typically needs to enter the recipient's wallet address in their app. This is similar to how you would put a real-world address on an envelope in order for it to be delivered to the correct location.
Rather than manually enter these long and complicated addresses, however, most users will copy-and-paste them. This is where the clipper family of malware steps in. Once installed, the malware monitors the system's clipboard. Once it detects something that looks like a target address, it changes it to an address operated by the malware's controller. If the end user then submits the transaction without noticing the change, the attacker receives the currency instead.
Clipper is also able to snatch a user's credentials and private keys off the clipboard. Once the attacker has this information, they are able to impersonate the user to siphon funds directly and irreversibly. This is one reason why cryptocurrency experts have long recommended users to store the bulk of their balance in offline cold-storage, and only keep a minimal balance on mobile wallets for daily use.
Clipper malware has been around since at least 2017 targeting Windows users. Android app variants emerged in the middle of last year, but were relegated to third-party app stores outside of Google's walled garden. This latest finding snuck through Google's defenses.
The suspect app was called MetaMask, a service for managing Etherium-based distributed applications -- or Dapps. There is just one problem; MetaMask does not operate a mobile application. Instead, this was a third-party posing as a popular legitimate service to reach unsuspecting victims. Actual MetaMask representatives took to Twitter, asking Google to step up their protections for trademarked names:
— MetaMask (@metamask_io) February 9, 2019
Managing security for the Play Store is assuredly not a small task, but it is surprising to see a basic level of protection like trademarked name verification is not implemented. This is far from the first time such an impersonation has happened. Even the massively popular messaging WhatsApp was similarly imitated in 2017.
It is a reminder that no matter the system, users should take charge of their own security. In this instance, MetaMask's official website has no mention of mobile applications - only desktop browser extensions. Additionally, users should verify that all transaction information is correct before submitting. Users should also be cautious of using the clipboard to enter credentials, as the clipboard can be read by any running application. Lastly, it is always best to install the latest security updates. No single aspect is a silver bullet for security, but an diligent security posture can at least reduce the risk of becoming compromised.