On Feb 1, 2019, a malicious app designed to affect owners and users of Ethereum (ETH) was released on Google Play.
This “clipper app” is a special type of malware which replaces cryptocurrency addresses copied into an Android device’s clipboard with those belonging to the attacker. It is reported that this app was developed to steal ETH and ERC20 tokens, as well as personal data — including private keys — from unsuspecting downloaders of the app.
Within a week, WeLiveSecurity — an outlet created by ESET researchers focusing on internet security — had spotted the clipper app and reported it to Google. It has since been removed from the Play Store.
Similar malware has appeared on Windows-based platforms and unverified Android app stores, but this is the first time a Clipper app has been spotted on Google Play.
Clippin’ and Rippin’
The malicious Clipper app promoted itself as a mobile version of MetaMask developed for Android devices.
MetaMask, however, has not released any mobile apps. On the contrary, MetaMask exists as an extension to several desktop browsers including Chrome, Firefox, Opera, and Brave. When integrated into the browser, the app acts as an ETH wallet that runs decentralized applications (dApps). Furthermore, it allows users to develop dApps using traditional desktop browsers.
To transfer ETH or ERC20 tokens into a wallet requires that the public address belonging to that wallet be given to the sender. The sender then attaches the number of coins or tokens to the address and sends it to the receiving address. These addresses contain a long stream of letters and numbers which are meant to encrypt the data being sent. When users want to send cryptocurrency to themselves from an exchange or another wallet, they will often copy and paste the receiving address from the exchange or another wallet from which funds will be sent. In this instance, the receiver is also the sender.
Clipper apps, like the one discovered by WeLiveSecurity, are designed to intercept the receiving address after it is copied. It then replaces the legitimate receiving address with one belonging to another account. This means that a user might think they are sending cryptocurrency to their own wallet when they are actually sending it to a bad actor. If the user does not verify that the pasted address is the same as the copied address, they might transfer large sums of their own money to someone else, willingly — without even realizing it.
This is an important reminder to always ensure that copied and pasted addresses are identical. Furthermore, though it is more time consuming, it is encouraged that users verify the pasted address character by character.
A Look at the Past
While clipper apps appear like a new addition to Google Play, many other malware and virus-filled apps have negatively impacted cryptocurrency users in the not-too-distant past. Kaspersky Lab researcher Roman Unuchek published an article on Apr 4, 2018, in which he discussed a number of apps which were developed to secretly mine cryptocurrency on a user’s mobile device.
Most of these apps were found on third-party sites and unverified Google app stores. However, Zombie Fun was a gaming app available on the Google Play Store which included scripts that allowed secret mining. Some other apps available from third-party sources included impersonations of major apps like Netflix, Bimji, and Instagram that used CoinHive SDK and other malicious scripts for covert mining.
Google is not the only entity to be affected. Thomas Reed of MalwareBytes Labs revealed on Oct 29, 2019, that CoinTicker on the Android app contained code for two backdoors. These theoretically could be used to steal Bitcoin (BTC) or other cryptocurrencies and assets or personal data.
DApps to the Rescue?
One option that may reduce the number of viruses and malware affecting cryptocurrency users is the active usage of dApps in place of apps.
There are two competing definitions of dApps.
- The first states that all decentralized blockchain technologies qualify as dApps. This would include BTC, Ethereum (ETC), and all tokens built on ETH or other similar networks like Tron (TRX) or EOS (EOS).
- A second definition holds that there are three generations of blockchain technologies — with dApps constituting the third.
In the second schema, the first generation consists of distributed ledger technologies like blockchain without smart contracts. These coins typically serve as cryptocurrencies and can include other non-smart contract related innovations. For example, Monero (XMR) and Zcash (ZEC) integrate several privacy-based innovations within traditional blockchain technology but do not include smart contracts. Thus, they qualify as first-generation cryptocurrencies.
With the introduction of smart contracts, the second generation of blockchain technologies emerged in the form of cryptoassets that include platforms to build and support dApps — which include their own platforms, interfaces, and tokenized assets. Different dApps are developed for different purposes, including social media, content creation and sharing, crowdfunding, investing, etc.
Crypto clipboard malware has been around for years, but I think this is the first one affecting Android users. https://t.co/fhmLVfUhu9
— Jameson Lopp (@lopp) February 10, 2019
DApps, like all blockchain technology, are susceptible to attacks, hacks, and malware. Certain types of malware theoretically can be embedded within a blockchain to exploit users in a variety of yet undetermined ways.
Furthermore, malware can be developed to exploit bugs which already exist in the blockchain space.
Nonetheless, the increased security of the blockchain makes dApps less susceptible to the type of malware and viruses which are being found within traditional apps. Whether or not dApps will maintain this advantage in the future is a matter that can only be solved with time.
Do you think dApps will be able to replace apps and better protect users from malware and viruses? Let us know your thoughts in the comments below!
Images courtesy of Twitter, Shutterstock.