On January 8, 2019, we saw the first instance of «malware» in the Google Play Store. It disguised itself as an innocent app to trick people into downloading it and then started funneling cryptocurrency funds to the malware author.
But what is Clipper malware, how does it work, and how can you avoid the attack?
What is Clipper Malware?
Clipper malware targets cryptocurrency wallet addresses during a transaction. The wallet address is similar to the cryptocurrency version of the bank account number. If you want someone to pay you in cryptocurrency, you give them your wallet address and the payee enters it into their payment details.
Clipper malware captures a cryptocurrency transaction by replacing the wallet address with an address belonging to the malware author. When a user goes to pay with their cryptocurrency account, they end up paying the malware author, not the intended recipient.
This can result in serious financial damage if malware manages to capture a high-value transaction.
How Clipper Malware Works
The Clipper malware performs this exchange by monitoring the clipboard of the infected device where the copied data is stored. Every time a user copies data, the clipper checks it for cryptocurrency wallet addresses. If so, the malware replaces it with the malware’s address.
Now, when the user goes to paste an address, he ends up pasting the hijacked address instead of the legitimate one.
The Clipper malware exploits the complex nature of wallet addresses. These are long strings of numbers and letters that are randomly selected. If the user has not used the wallet address multiple times, there is very little chance that he will notice that it has changed.
Even worse, its complexity means that people are more likely to copy and paste the address — exactly what the malware wants!
How long has it been around?
Clipper malware itself is nothing new. It entered the scene around 2017 and was mainly focused on Windows machines. Since then, Android malware has been developed and sold on the black market, and infected apps can be found on shady sites.
Such sites became a springboard for the 2016 Gooligan malware that infected 1 million devices.
This is the first time that an app on the official Google Play Store has been infected with malware. Successfully uploading an infected application to the official store is the dream scenario of every malware distributor. An app in the Google Play store carries a certain authenticity that makes it more trustworthy than apps found on a random website.
This means that people usually download and install apps from the store without question, which is exactly what malware authors want.