Google Play caught hosting app designed to steal cryptocurrency

Google Play has been hosting an app that uses malware to steal cryptocurrency from users, security experts claim.

The app, which impersonated a legitimate crypto service called MetaMask, copies wallet addresses using ‘clipper’ malware, according to a blog post from Eset.

Lukas Stefanko, the blog post’s author, explains: “For security reasons, addresses of online cryptocurrency wallets are composed of long strings of characters. Instead of typing them, users tend to copy and paste the addresses using the clipboard.

“A type of malware, known as a ‘clipper’, takes advantage of this. It intercepts the content of the clipboard and replaces it surreptitiously with what the attacker wants to subvert.

“In the case of a cryptocurrency transaction, the affected user might end up with the copied wallet address quietly switched to one belonging to the attacker.”

The malware’s purpose is to steal the victim’s credentials and private keys to gain control over the victim’s funds. It can replace both Bitcoin and Ethereum wallet addresses copied to the clipboard with one belonging to the attacker.

The app was removed by Google after a tip-off from Eset.

‘Dangerous malware’

Stefanko added: “This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018.

“In February 2019, we discovered a malicious clipper on Google Play, the official Android app store.”

He advises users to keep their Android devices updated and use a reliable mobile security solution.

Users should also stick to the official Google Play store when downloading apps – but always check the official website of the app developer or service provider for the link to the official app.

“If there is not one, consider it a red flag and be extremely cautious to any result of your Google Play search,” he added.