Bitcoin and cryptocurrencies have struggled to overcome people’s fears that buying them will leave them vulnerable to hackers and digital thieves, with a steady stream of complaints against bitcoin exchanges and wallet providers over the years.
The bitcoin price’s rapid rise from hundreds of dollars per bitcoin to a single bitcoin being worth almost $20,000 in 2017 sparked a surge of criminal interest in bitcoin and cryptocurrencies, who were quick to try to separate trusting crypto holders from their bitcoin.
Now, an Android app hosted on the official Google Play store has been pulled after it was found to be surreptitiously stealing bitcoin and cryptocurrency from unwitting users, researchers revealed late last week—thought to be the first time this kind of malware has been hosted on the official Android app store.
The app, which was found to be impersonating a legitimate crypto service called MetaMask, hijacked a phone’s clipboard feature when people copy and paste their bitcoin or cryptocurrency address, either sending the account’s so-called private keys back to the criminals or replacing the public key with an address controlled by the hacker.
When the phone user then tried to send their digital tokens to the copied address, they would paste the attackers’ instead.
“For security reasons, addresses of online cryptocurrency wallets are composed of long strings of characters. Instead of typing them, users tend to copy and paste the addresses using the clipboard. A type of malware, known as a “clipper”, takes advantage of this,” wrote Eset security researcher Lukas Stefanko. “It intercepts the content of the clipboard and replaces it surreptitiously with what the attacker wants to subvert. In the case of a cryptocurrency transaction, the affected user might end up with the copied wallet address quietly switched to one belonging to the attacker.”
Bitcoin and cryptocurrency addresses are often regenerated each time a user opens their app as a security feature, though doing so means people are less likely to recognize a fraudulent address.
The MetaMask app, designed by ethereum developer Consensys, is popular among the bitcoin and cryptocurrency community—having been downloaded for Android via the Google Play store over one million times—and allows users to access a variety of decentralized apps on the ethereum network.