Last week, the US Federal Trade Commission (FTC) revealed a report in response to which cryptocurrency scammers have swindled Americans out of over $1 billion since 2021. Cryptocurrency scams are rampant on social media websites, in addition to messaging apps like Telegram. The scams usually commerce on the names of cryptocurrency-related celebrities, corresponding to Jack Dorsey and Elon Musk. However, scams are only one means for unhealthy actors to steal cryptocurrency. Rather than tricking unsuspecting victims into handing over their cryptocurrency, some cybercriminals as a substitute flip to malware so as to poach cryptocurrency themselves.

Researchers from Confiant have revealed their findings detailing an in depth malware marketing campaign the researchers are calling SeaFlower. The marketing campaign is focused at customers of 4 completely different cryptocurrency wallets on iOS and Android: MetaMask, Coinbase Wallet, imToken Wallet, and TockenPocket Wallet. The menace actors behind SeaFlower to talk Chinese, judging by code feedback written in Chinese, together with quite a lot of different indicators famous by the researchers. The menace actors additionally seem like concentrating on different Chinese audio system most closely, having performed an search engine marketing poisoning marketing campaign that has most affected search outcomes from the Chinese-based Baidu search engine. search engine marketing poisoning campaigns leverage SEO (search engine marketing) strategies to spice up malicious web sites into the highest search outcomes for professional web sites or companies.

Malicious clone of the Coinbase Wallet web site (source: Confiant)

In this case, the menace actors have efficiently boosted malicious clones of internet sites for professional cryptocurrency pockets. The malicious web sites seem an identical to their professional counterparts, however are hosted at domains managed by the menace actors. The malicious web sites embrace download buttons for Android and iOS apps, however, quite than redirecting customers to the Google Play Store or the Apple App Store, the buttons as a substitute try to side-load apps onto customers’ units.
Installation course of for malicious iOS profile (source: Confiant)

In the case of Android, the web sites merely serve up an APK file, which customers can download and set up themselves. However, Apple doesn’t permit for straightforward app side-loading like on Android, so, quite than serving up an set up bundle, the web sites as a substitute try to arrange a provisioning profile on iOS units. These profiles include developer keys that permit for the side-loading of the malicious apps.

Once put in, the malicious apps seem and performance identically to the professional cryptocurrency pockets apps they mimic. However, the malicious apps include backdoors that log the pockets seed phrases, addresses, and balances and ship that info to the menace actors behind the marketing campaign. The menace actors can then use the seed phrases to hold out the account restoration course of and acquire entry to the funds in victims’ wallets. In some circumstances, the code containing the backdoors is encrypted, that means anybody inspecting the code for malicious habits should first use the included cryptographic keys to decrypt the malicious code earlier than discovering what the code does.

In order to keep away from falling prey to a malicious app marketing campaign corresponding to this one, iOS customers ought to by no means permit exterior provisioning profiles to be put in on their units, and Android customers ought to set up apps solely from trusted sources. All of the pockets apps focused by this specific assault will be discovered within the Google Play Store and Apple App Store, so customers ought to download and set up them there.

The researchers have offered the hashes for one of many malicious Android apps and all 4 malicious iOS apps distributed as a part of the SeaFlower marketing campaign, so others can establish the malicious apps.

Coinbase Wallet Android app
SHA-256 of the APK:


Coinbase Wallet iOS app
SHA-256 of the .IPA analyzed:


MetaMask iOS app
SHA-256 .IPA file analyzed:


imToken Wallet iOS app
SHA-256 of the .IPA analyzed:


TokenPocket iOS Wallet
SHA-256 of the .IPA file analyzed: