seaflower-hackers-steal-crypto-with-secret-backdoors-in-your-android-and-ios-wallets
Last week, the US Federal Trade Commission (FTC) revealed a report in response to which cryptocurrency scammers have swindled Americans out of over $1 billion since 2021. Cryptocurrency scams are rampant on social media websites, in addition to messaging apps like Telegram. The scams usually commerce on the names of cryptocurrency-related celebrities, corresponding to Jack Dorsey and Elon Musk. However, scams are only one means for unhealthy actors to steal cryptocurrency. Rather than tricking unsuspecting victims into handing over their cryptocurrency, some cybercriminals as a substitute flip to malware so as to poach cryptocurrency themselves.

Researchers from Confiant have revealed their findings detailing an in depth malware marketing campaign the researchers are calling SeaFlower. The marketing campaign is focused at customers of 4 completely different cryptocurrency wallets on iOS and Android: MetaMask, Coinbase Wallet, imToken Wallet, and TockenPocket Wallet. The menace actors behind SeaFlower to talk Chinese, judging by code feedback written in Chinese, together with quite a lot of different indicators famous by the researchers. The menace actors additionally seem like concentrating on different Chinese audio system most closely, having performed an search engine marketing poisoning marketing campaign that has most affected search outcomes from the Chinese-based Baidu search engine. search engine marketing poisoning campaigns leverage SEO (search engine marketing) strategies to spice up malicious web sites into the highest search outcomes for professional web sites or companies.

Malicious clone of the Coinbase Wallet web site (source: Confiant)

In this case, the menace actors have efficiently boosted malicious clones of internet sites for professional cryptocurrency pockets. The malicious web sites seem an identical to their professional counterparts, however are hosted at domains managed by the menace actors. The malicious web sites embrace download buttons for Android and iOS apps, however, quite than redirecting customers to the Google Play Store or the Apple App Store, the buttons as a substitute try to side-load apps onto customers’ units.
Installation course of for malicious iOS profile (source: Confiant)

In the case of Android, the web sites merely serve up an APK file, which customers can download and set up themselves. However, Apple doesn’t permit for straightforward app side-loading like on Android, so, quite than serving up an set up bundle, the web sites as a substitute try to arrange a provisioning profile on iOS units. These profiles include developer keys that permit for the side-loading of the malicious apps.

Once put in, the malicious apps seem and performance identically to the professional cryptocurrency pockets apps they mimic. However, the malicious apps include backdoors that log the pockets seed phrases, addresses, and balances and ship that info to the menace actors behind the marketing campaign. The menace actors can then use the seed phrases to hold out the account restoration course of and acquire entry to the funds in victims’ wallets. In some circumstances, the code containing the backdoors is encrypted, that means anybody inspecting the code for malicious habits should first use the included cryptographic keys to decrypt the malicious code earlier than discovering what the code does.

In order to keep away from falling prey to a malicious app marketing campaign corresponding to this one, iOS customers ought to by no means permit exterior provisioning profiles to be put in on their units, and Android customers ought to set up apps solely from trusted sources. All of the pockets apps focused by this specific assault will be discovered within the Google Play Store and Apple App Store, so customers ought to download and set up them there.

The researchers have offered the hashes for one of many malicious Android apps and all 4 malicious iOS apps distributed as a part of the SeaFlower marketing campaign, so others can establish the malicious apps.

Coinbase Wallet Android app
SHA-256 of the APK:
83dec763560049965b524932dabc6bd6

252c7ca2ce9016f47c397293c6cd17a5

Coinbase Wallet iOS app
SHA-256 of the .IPA analyzed:
2334e9fc13b6fe12a6dd92f8bd65467cf

700f43fdb713a209a74174fdaabd2e2

MetaMask iOS app
SHA-256 .IPA file analyzed:
9003d11f9ccfe17527ed6b35f5fe33d28

e76d97e2906c2dbef11d368de2a75f8

imToken Wallet iOS app
SHA-256 of the .IPA analyzed:
1e232c74082e4d72c86e44f1399643ff

b6f7836805c9ba4b4235fedbeeb8bdca

TokenPocket iOS Wallet
SHA-256 of the .IPA file analyzed:
46002ac5a0caaa2617371bddbdbc7eca

74cd9cb48878da0d3218a78d5be7a53a