Hackers Clone Crypto Wallets to Steal Users' FundsBackdoored Apps Allow Normal Functioning of Wallet While Exfiltrating Master Key
Technically sophisticated thieves are stealing cryptocurrency by impersonating popular smartphone wallet apps for the Apple and Android platforms.
Researchers at security firm Confiant say the theft campaign is run by China-linked threat actors.
Dubbed SeaFlower, the campaign mainly targets users of Chinese search engines through links to malicious cryptocurrency wallet apps ostensibly from MetaMask, Coinbase, imToken and TokenPocket.
The malicious apps contain code allowing hackers to exfiltrate users' seed phrases - the list of random words allotted to new wallet users that effectively acts as a wallet recovery master key.
SeaFlower is "the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group," the Confiant researchers say.
Theft and fraud continue to plague the cryptocurrency market, and blockchain analysis firm Chainalysis pegs the value of illicit transactions conducted during the last year at $14 billion.
Theft from actors such as the SeaFlower gang have irreversible effects, says James McQuiggan, a security awareness advocate at cybersecurity firm KnowBe4. Cryptocurrency wallets don't have the same regulatory protections as traditional banking systems.
"If a cybercriminal gains access to someone's crypto wallet or account, they can quickly move the funds to their accounts," he says.
SeaFlower isn't a campaign of malicious hacking into consumer wallet apps. Instead, it depends on users downloading seemingly legitimate wallet apps that contain a backdoor for seed phrase exfiltration.
The campaign's technical sophistication makes it different from other web3 digital theft efforts, the researchers say. It's not common to observe reverse engineering of apps complete with automatic deployment and legitimate developer provisioning profiles for the Apple App Store.
The researchers say they informed Apple of the developer IDs the thieves used to code iOS apps, which Apple revoked. The company did not immediately reply to a request for comment.
Users encounter the malicious apps via searches such as "download metamask ios" on Chinese search engines, which display links to cloned websites of legitimate wallet apps.
"Search engines are one of the clear entry points for SeaFlower that we identified to this date, redirecting mobile users to fake/cloned wallet download websites. In particular, Baidu search engine results are one of the initial vectors for these attacks," the researchers say, referring to the dominant Chinese search engine.
For iOS devices, the malicious apps are sideloaded from the cloned webpages onto the smartphone, meaning the app isn't installed through the official Apple App Store. Users are unable to see the difference between the malicious app and the real thing.
"The user experience, the UI and all the wallet functionality are unchanged, normal/advanced users won't notice anything while using the app on their phones: it is the legitimate app from the AppStore/Play Store with a sneaking backdoor in it," the researchers say.
The backdoored wallets send traffic to web domains meant to mimic legitimate domains, such as trx.lnfura[.]org in place of infura.io, or metanask[.]cc instead of metamask.io.
First identified in March this year, the campaign's name has an interesting origin story that functions as one clue among many that the thieves are Chinese speakers.
Confiant says one of the injected executable files of the backdoored metamask app leaked a macOS username: Zhang Haike.
Zhang Haike is a character in a Chinese novel called "Tibetan Sea Flower."
The researchers also found source code comments written in Chinese.
In addition, much of the technical infrastructure underpinning the malicious apps had links to the Chinese and Hong Kong IP address spaces, including "provisioning profiles, signing infrastructure, and app provisioning infrastructure." There were also domains registered with the country code top-level domain for China.