Hackers use Telegram, websites to promote malicious crypto wallets: Eset researchers

The influx of new investors in the crypto space has given cyber criminals new opportunities to target unsolicited individuals. Security researchers with Eset have uncovered 40 copycat of well-known cryptocurrency wallets. These crypto wallets hide malicious trojans inside them engineered to steal all your crypto assets.
These malicious apps were able to steal victims’ secret seed phrases (passcodes used to access crypto wallet) impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey.
For the uninitiated, a crypto wallet is where all your cryptocurrency lies. This includes your tokens or coins, and non-fungible-tokens (NFTs) too. A crypto wallet can be accessed via something called as a seed phrase—which is the equivalent of a password or passcode. Hackers want to gain illegal authorisation to your passcode, because once they have it—they can steal all your crypto-assets.

Dribution channel: Telegram, websites
Telegram, is a widely used messaging platform. But, it has also become a hub for pirated files, documents, and also a favourite place for crypto enthusiasts to recieve update about an upcoming airdrop, a token, or an NFT. However, the messaging platform is now being used hackers to promote malicious copies of such crypto wallets.
“We assume these groups were created the threat actor behind this scheme looking for further dribution partners, suggesting options such as telemarketing, social media, advertisement, SMS, third-party channels, fake websites etc,” Eset researchers said in a blog post. It is worth noting that all the identified groups were communicating in Chinese.
These Telegram groups serve as a dribution channel. Any person dributing this malware is offered a 50 per cent commission on the stolen contents of the wallet, as per the Eset researchers.
Not only Telegram channels but the dribution of malicious wallets was also being done using two legitimate websites, targeting users in China. On these websites, in the category “Investment and financial management”, researchers found upto six articles promoting mobile cryptocurrency wallets using copycat websites, leading users to download malicious mobile applications claiming to be legitimate and reliable. These posts abuse the names of legitimate cryptocurrency wallets such as: imToken, Bitpie, MetaMask, TokenPocket, OneKey, and Trust Wallet.
Targeting Android and iOS users
Hackers seem to target Android and iOS users differently. On Android, hackers target new cryptocurrency users who do not yet have a legitimate wallet application installed on their devices. This means if the official wallet is already installed on an Android smartphone, the malicious app can’t overwrite it because the key used to sign the counterfeit app is different from the legitimate application. That is the standard security model of Android apps, where non-genuine versions of an app can’t replace the original.

However, on iOS, the victim can have both versions installed – the legitimate one from the App Store and the malicious one from a website.
Eset researchers have advised users to download and install apps only from official sources, such as the Google Play store or Apple’s App Store. For iOS device,  downloading apps only from the official App Store, being especially cautious about accepting configuration profiles, and avoiding a jailbreak on this platform are the most advisable prevention recommendations.