Researchers with ESET have found a malicious app designed to steal cryptocurrency in the Google Play Store. The app, which mimicked MetaMask, a legitimate service for running Ethereum-supported applications in a browser, has been removed from the Play Store after the researchers alerted Google.
The app ran a form of “clipper” malware that can manipulate clipboard content. Whenever a victim engaging in a cryptocurrency transaction copies a cryptocurrency wallet address to the clipboard (addresses like this are usually copy-pasted as they are very long), the malware replaces the address in the clipboard with an address owned by the attackers, so that the victim pastes the wrong recipient address into the transaction form, and the threat actors end up receiving the funds instead. Clipper malware has been spotted many times before, but had not yet been found on the Play Store.