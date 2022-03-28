Dozens of apps capable of stealing access data to cryptocurrency applications as famous as Coinbase have been discovered by a group of researchers specialized in cybersecurity.

Coinbase and MetaMask are two of the most widely used cryptocurrency software in the world, and it is no wonder that in recent years, they have become the goal of the hackers when organizing their attackswith the aim of taking advantage of unsuspecting users to get data, or even money.

A recent report from the folks at ESET Research has uncovered a new threat which, since May 2021, has worked with the aim of straining trojans on Android and iOS devices of users around the world, capable of steal secret access credentials to platforms such as Coinbase, MetaMask, OneKey, Bitpie, Trust Wallet or TokenPocket.

A criminal group could be behind this attack

In the report, it is specified that This is a very complex attack.since the authors of the malware carried out a in-depth analysis of legitimate apps to copy their functions in detail, in order to make their Trojans much more difficult to detect. For that reason, it is thought that it is very likely that there is a criminal group behind the threat, and not a single person as has happened on previous occasions.

Subsequently, the apps were promoted on different websites and Telegram channelsprompting users to download infected apps, available both on Android –through Google Play– and on iOS. In total, they have discovered over 40 websites that promoted the malicious apps, most of them aimed at the Chinese public.

According to the researchers, the trojan worked in a different way depending on the platform: on Android, the threat is aimed at those users who they did not have the cryptocurrency app on your devices, since due to the operation of the system, it is not possible to overwrite an application that is already installed on the device, if the key used to sign the application it is not the same as the original app.

In the case of iOS, it is possible to have both applications installed simultaneously, something that the attackers took advantage of to sneak into the devices of the victims. However, since the apps were not present in the App Store, it was necessary download and install configuration profiles on the devicewhich already included the Trojan installed.

Once installed, the applications tried to trick the user in order to obtain their security phrase or “seed”, necessary to access the cryptocurrency wallet. Later, the information was sent to the attacker’s serversand thanks to it, they could manipulate the content of the portfolios at will.

As if that weren’t enough, furthermore, the transmission of data to the server was carried out using an insecure connection of the HTTP type, which could allow third parties to obtain the keys by carrying out an espionage attack on the victim’s network. In the video below these lines, you can see an example of this type of attack, where sensitive information is extracted through the HTTP connection:

Despite being an attack primarily targeting users in China, “dozens of different variants” have been discovered in the Google Play Store alone. Furthermore, since the code of the attack has been published on the Internet, it will most likely continue to be used from here on out.

For that reason, it is very important to make sure that the applications that are downloaded come from reliable sources, and that, in addition, be published in their respective stores by reputable developers.

