Advertising security agency Confiant discovered a set of malicious activities involving decentralized wallet apps, where hackers, through imposter wallets with backdoors, steal private seed and acquire user funds. The apps are distributed as clones of legitimate sites, making it appear as if the user is downloading the original app.
Malicious clusters target Web3-enabled wallets like Metamask
Hackers are becoming increasingly creative in engineering attacks to take advantage of cryptocurrency users. Confiant, which is dedicated to investigating the quality of ads and the security threats they may pose to Internet users, about a new kind of attack affecting users of popular Web3 wallets such as Metamask and Coinbase Walletissued a warning.
Named “Seaflower,” the cluster was identified by Confiant as one of the most sophisticated attacks of its kind. According to the report, these apps are nearly identical to the original apps and therefore undetectable to the average user, but the codebase is different, allowing hackers to steal wallet seed phrases and gain access to funds.
Distribution and Recommendations
The report found that these apps are distributed mostly outside of regular app stores through links users find on search engines such as Baidu. Investigators said the cluster must be of Chinese origin based on the language in which the code comments are written and other factors such as the location of the infrastructure and the services used.
The links in these apps are intelligently handled by SEO optimization to reach popular spots on search sites and rank high, tricking users into thinking they are accessing a real site. The sophistication of these apps stems from the fact that the code is hidden and much of how this system works is obfuscated.
Backdoored apps send seed phrases to remote locations as they are built, which is the main attack vector against metamask imposters. For other wallets, Seaflower uses very similar attack vectors.
Experts have further issued a series of recommendations regarding keeping wallets in devices secure. Since these backdoored applications are only distributed outside of app stores, Confiant advises users to always install these applications from the official Android and iOS stores.
Image credits: Shutterstock, Pixabay, Wiki Commons, photo_gonzo