Hackers are flooding the web with rogue mobile apps capable of gently siphoning users’ wallets.
Just because the cryptocurrency market is down doesn’t mean hackers have given up on the field. Quite the contrary. Confiant researchers have thus revealed a large-scale operation called “SeaFlower” where victims are stolen under their virtual through fake wallets bearing the image of well-known brands: Coinbase, Metamask, TokenPocket, imToken.
This software has the same functional scope as the originals, but with a small bonus: a backdoor that will transfer to hackers the “seed” of the crypto wallet (“seed” in English), this random series of words that allows to regenerate his private key. From there, hackers can take control of the wallet and transfer the entire crypto-money.
This seed interception happens right after the user creates a new wallet or imports an existing one. The operation is completely smooth. To notice this, it is necessary to decipher and analyze the flows of incoming and outgoing requests, by a device of the type “ The man in the middle “, what the researchers have done.
Obviously, the domains that fetch this valuable data mimic that of some crypto brands. The researchers thus came across metanask.cc (for Metamask) or trx.lnfura.org (for Infura). A classic technique to cover the tracks. To distribute their corrupt applications, hackers simply create sites that impersonate the real publishers. And obviously, they master all the mysteries of SEO optimization, because it is the search engines that bring them the majority of potential victims. That of Baidu is particularly used. Simple and efficient.
Similar to the North Korean Lazarus Pirates
Note that these hackers, who are probably of Chinese origin, target both Android and iOS users. In the latter case, they rely on the “Enterprise/Developer Provisionning” distribution mode, which allows mobile applications to be installed on the iPhone without going through the App Store. Thus, hackers can bypass the security controls that are practiced there.
The way backdoors are implemented in spoofed apps is also considered astute. That’s why the researchers at Confiant believe that for web3, SeaFlower is “the most technically sophisticated threat, second only to Lazarus”an alleged North Korean hacker group well known for stealing cryptocurrency.
It is not very difficult to protect against these kinds of attacks. All you have to do is verify the authenticity of the application you are installing. It is recommended to always go through the official websites of the publishers and only use the dominant application stores Apple AppStore and Google Play.