MetaMask, an app which allows its users to run Ethereum dApps in a browser, appears to have an impersonator on Google Play, welivesecurity reports.
The fake MetaMask app was identified as “Android/Clipper.C” by ESET security solutions. The malware has been designed to gain control of the victim’s credentials and private keys in order to seize Ethereum funds.
The fake app was introduced on Google Play on February 1st. The app was removed by Google Play after it was reported by ESET.
Picture 1. Fake MetaMask app appearing on Google Play (Source: welivesecurity)
In addition, the malware was also in a position to replace the Bitcoin or Ethereum wallet address and insert the one belonging to fraudsters.
MetaMask’s original app “includes a secure identity vault, providing a user interface to manage your identities on different sites and sign blockchain transactions”.
“For security reasons, addresses of online cryptocurrency wallets are composed of long strings of characters. Instead of typing them, users tend to copy and paste the addresses using the clipboard. A type of malware, known as a ‘clipper’, takes advantage of this. It intercepts the content of the clipboard and replaces it surreptitiously with what the attacker wants to subvert. In the case of a cryptocurrency transaction, the affected user might end up with the copied wallet address quietly switched to one belonging to the attacker,” said Lukas Stefanko, the security researcher at ESET.
Apparently, this is the first time malware has been hosted on the official Android app store. In August 2018, the first Android clipper was noticed on the Android mobile platform. Similarly, it has been designed to replace digital wallet numbers in the clipboard with the wallet address of the attacker.
Previously, ESET researchers identified another malware, which was hosted on download.cnet.com, one of the world’s biggest software-hosting websites.