On January 8, 2019, we saw the first instance of «malware» in the Google Play Store. It disguised itself as an innocent app to trick people into downloading it and then started funneling cryptocurrency funds to the malware author.

But what is Clipper malware, how does it work, and how can you avoid the attack?

What is Clipper Malware?

Clipper malware targets cryptocurrency wallet addresses during a transaction. The wallet address is similar to the cryptocurrency version of the bank account number. If you want someone to pay you in cryptocurrency, you give them your wallet address and the payee enters it into their payment details.

You can learn more about how cryptocurrency works in our handy guide.

Clipper malware captures a cryptocurrency transaction by replacing the wallet address with an address belonging to the malware author. When a user goes to pay with their cryptocurrency account, they end up paying the malware author, not the intended recipient.

This can result in serious financial damage if malware manages to capture a high-value transaction.

How Clipper Malware Works

The Clipper malware performs this exchange by monitoring the clipboard of the infected device where the copied data is stored. Every time a user copies data, the clipper checks it for cryptocurrency wallet addresses. If so, the malware replaces it with the malware’s address.

Now, when the user goes to paste an address, he ends up pasting the hijacked address instead of the legitimate one.

The Clipper malware exploits the complex nature of wallet addresses. These are long strings of numbers and letters that are randomly selected. If the user has not used the wallet address multiple times, there is very little chance that he will notice that it has changed.

Even worse, its complexity means that people are more likely to copy and paste the address — exactly what the malware wants!

How long has it been around?

Clipper malware itself is nothing new. It entered the scene around 2017 and was mainly focused on Windows machines. Since then, Android malware has been developed and sold on the black market, and infected apps can be found on shady sites.

Such sites became a springboard for the 2016 Gooligan malware that infected 1 million devices.

This is the first time that an app on the official Google Play Store has been infected with malware. Successfully uploading an infected application to the official store is the dream scenario of every malware distributor. An app in the Google Play store carries a certain authenticity that makes it more trustworthy than apps found on a random website.

This means that people usually download and install apps from the store without question, which is exactly what malware authors want.

Which applications contained Clipper malware?

The clipper malware was in an application called MetaMask. This is a real service that includes browser-based distributed applications for the Ethereum cryptocurrency. MetaMask doesn’t have an official Android app yet, so malware authors have taken advantage of that to trick people into thinking it exists.

This fake MetaMask app did more than just change the addresses of the cryptocurrencies on the clipboard. He also requested Ethereum user details as part of a fake account setup. Once an unsuspecting user entered the data, the malware authors got all the information they needed to log into the account and clean it up for themselves.

Luckily, the security firm caught the malware before it did too much damage. The fake MetaMask app was uploaded on February 1st, 2019, reported and removed just over a week later.

Rise of cryptocurrency attacks

Although this attack vector is new, it is not too surprising. Cryptocurrencies are a very big business these days, and with it comes the opportunity to earn large sums of money. While most people are happy with making money through legal means, there will always be those who will seek to use others instead.

Cryptojackers are the favorite of malware authors around the world. They hijack the device’s processor to make it a cryptocurrency for the author, preferably without the end user even noticing.

Just like this example of Clipper malicious code, security companies have found app-infecting cryptojackers in the Google Play Store So, this may just be the start of crypto-currency malware attacking users on Android phones.

How to Avoid Clipper Malware Attack

It may sound very scary, but avoiding a malware attack is quite simple. Clipper malware depends on the user being unaware of its existence and ignoring warning signs. Learning how malware works is a big step towards defeating it. After reading this article, you have already done 90 percent of the work!

First, always download apps from the Google Play Store. While Google Play isn’t perfect, it’s much safer than questionable sites on the internet. Try to avoid sites that act as a «third party store» for Android, as they have much more malware than Google Play.

Google Play App Number of downloads

When downloading apps on Google Play, double check the overall app download before installing. If an app has not been used for a long time and has a low number of downloads, downloading it can be risky. Similarly, if an app claims to be the mobile version of a popular service, double-check the developer’s name.

If the name differs (even slightly) from the name of the official developer, this is a big warning that something is wrong.

Even if your phone is infected with malware, you can avoid the attack if you are careful. Double check all the wallet addresses you’ve pasted in to make sure they haven’t changed halfway through. If the address you paste is different than the one you copied, Clipper malware is hiding on your system.

Perform a full virus scan and remove any questionable applications you may have recently installed.

Clipping the wings of malware

Clipper malware can be devastating to anyone handling large amounts of cryptocurrencies. The complex nature of wallet addresses, combined with the user’s typical copy-and-paste propensity, gives Clipper malware an opportunity to attack.

Many people may not even realize what they are doing until it is too late!

Fortunately, defeating malware is very easy. Never download suspicious apps and double check all wallet links before confirming a transaction.

Worried about malware on your mobile device? Here’s how to increase the security of your smartphone and fight against mobile malware.

Похожие записи