The malware, described as a "Clipper," masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging to attackers, ESET researcher Lukas Stefanko explained in a blog post.
Since cryptocurrency wallet addresses are made up of long strings of characters for security reasons, users usually prefer copying and pasting the wallet addresses using the clipboard over typing them out.
The newly discovered clipper malware, dubbed Android/Clipper.C by ESET, took advantage of this behavior to steal users cryptocurrency.
To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called MetaMask, claiming to let users run Ethereum decentralized apps in their web browsers without having to run a full Ethereum node.
Officially, the legitimate version of MetaMask is only available as a web browser extension for Chrome, Firefox, Opera, or Brave, and is not yet launched on any mobile app stores.
However, Stefanko spotted the malicious MetaMask app on Play Store targeting users who want to use the mobile version of the service by changing their legitimate cryptocurrency wallet address to the hacker's own address via the clipboard.
"Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims' cryptocurrency funds," Stefanko said.
"Android Clipper targeted Bitcoin and Ethereum cryptocurrency addresses when being copied in to clipboard and replaced them with the attacker's wallet address. Once this transaction is sent, it can not be canceled."
Stefanko spotted the malicious MetaMask app, which he believes was the first Android Trojan Clipper to be discovered on Play Store, shortly after its introduction to the app store on February 1.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
Google took down the malicious app almost immediately after being notified by the researcher.
While the bitcoin price has been dropped steadily since hitting its all-time high in December 2017, there is no reduction (in fact rise) in the cryptocurrency scandals, thefts, and scams that continue to plague the industry.
Just last week, The Hacker News reported how customers of the largest Canadian bitcoin exchange QuadrigaCX lost $145 million in cryptocurrency after the sudden death of its owner who was the only one with access to the company's cold (offline) storage wallets. However, some users and researchers are suggesting the incident could be an exit scam.