Bitcoin and cryptocurrencies have struggled to overcome people’s fears that buying them will leave them vulnerable to hackers and digital thieves, with a steady stream of complaints against bitcoin exchanges and wallet providers over the years.
The bitcoin price’s rapid rise from hundreds of dollars per bitcoin to a single bitcoin being worth almost $20,000 in 2017 sparked a surge of criminal interest in bitcoin and cryptocurrencies, who were quick to try to separate trusting crypto holders from their bitcoin.
Now, an Android app hosted on the official Google Play store has been pulled after it was found to be surreptitiously stealing bitcoin and cryptocurrency from unwitting users, researchers revealed late last week—thought to be the first time this kind of malware has been hosted on the official Android app store.
The app, which was found to be impersonating a legitimate crypto service called MetaMask, hijacked a phone’s clipboard feature when people copy and paste their bitcoin or cryptocurrency address, either sending the account’s so-called private keys back to the criminals or replacing the public key with an address controlled by the hacker.
When the phone user then tried to send their digital tokens to the copied address, they would paste the attackers’ instead.
“For security reasons, addresses of online cryptocurrency wallets are composed of long strings of characters. Instead of typing them, users tend to copy and paste the addresses using the clipboard. A type of malware, known as a ‘clipper’, takes advantage of this,” wrote Eset security researcher Lukas Stefanko. “It intercepts the content of the clipboard and replaces it surreptitiously with what the attacker wants to subvert. In the case of a cryptocurrency transaction, the affected user might end up with the copied wallet address quietly switched to one belonging to the attacker.”
Bitcoin and cryptocurrency addresses are often regenerated each time a user opens their app as a security feature, though doing so means people are less likely to recognize a fraudulent address.
The MetaMask app, designed by ethereum developer Consensys, is popular among the bitcoin and cryptocurrency community—having been downloaded for Chrome and Firefox via the Google Play store over one million times—and allows users to access a variety of decentralized apps on the ethereum network. It is not currently available for mobile devices.
The warning is a blow to both bitcoin and cryptocurrencies as well as the Google Play Store, which has been previously criticized for allowing malicious apps on to its platform without checks.
“Cryptocurrency stealers that replace a wallet address in the clipboard are no longer limited to Windows or shady Android app stores. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds,” Stefanko wrote. “This first appearance of clipper malware on Google Play serves as another imperative for Android users to stick with the best practices for mobile security.”
Security researchers have previously found bitcoin and cryptocurrency stealing software on download.cnet.com, one of the world’s most popular software-hosting sites, and also on unofficial Android app stores.
While the bitcoin price has struggled over the last year, falling steadily since hitting its all-time high in December 2017 and dragging down the wider cryptocurrency market, scandals, thefts, and scams continue to plague the industry.
A report out earlier this year found that hackers and other cybercriminals stole some $1.7 billion worth of bitcoin and other cryptocurrencies in 2018, up fivefold on the year before.
There are calls to better regulate the burgeoning cryptocurrency sector, however many fear that heavy-handed regulation could remove much of what makes cryptocurrency attractive to users and developers.