First CryptoCurrency Clipboard Hijacker Found on Google Play Store

- Advertisement -

Researchers last week found the first Android app on the Google Play store that monitors a device’s clipboard for Bitcoin and Ethereum addresses and swaps them for addresses under the attacker’s control. This allows the attackers to steal any payments you make without your knowledge that you sent it to the wrong address.

A malicious Android app called MetaMask was added to the Google Play store that pretended to be a mobile version of the legitimate service of the same name.  This app, though, was detected by ESET as malicious and when ESET Android security researcher Lukas Stefanko performed an analysis, it was discovered to be stealing a user’s cryptocurrency using two different attack methods.

The first attack method the app used was to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. When BleepingComputer analyzed the app’s APK file, we found that the app contains information that can be used to send this stolen data to a Telegram account.

Telegram Message Info
Telegram Message Info

Once a private key is entered, the app will combine the above information information along with the stolen private key and send it via Telegram to the attackers.  Stefanko confirmed that the attackers were using Telegram to receive the stolen keys and seeds.

Sending the stolen key via Telegram
Sending the stolen key via Telegram

The second attack method discovered by Stefanko was to monitor the device’s clipboard for Ethereum and Bitcoin addresses, and if one is detected, swap it out with a different address under the attacker’s control. As cryptocurrency addresses are composed of a long string of numbers and characters, it is hard to memorize them. Knowing this, attackers can swap a desired address with one under their control and have little chance of being detected.

- Advertisement -
Swapping Bitcoin and Ethereum addresses in clipboard
Swapping Bitcoin and Ethereum addresses in clipboard

When replacing addresses in the clipboard, the program will swap out a Bitcoin address with 17M66AG2uQ5YZLFEMKGpzbzh4F1EsFWkmA and an Ethereum address with 0xfbbb2EF692B5101f16d3632f836461904C761965.

Clipboard monitoring is not new and this attack method has been seen it numerous times already in Windows malware, browser extensions, and being sold on underground markets for Android. This is the first time, according to Stefanko, that one was detected on the Google Play store.

Thankfully, this particular app was not widespread and only had five installs. Stefanko told BleepingComputer that this was most likely because it was detected and reported only a few days after being uploaded to the Google Play store.

- Advertisement -



Previous Articles:

- Advertisement -

Latest News

Sui Rebounds to $2.65 After LGHL Plans Major Token Acquisition

Sui (SUI) traded at $2.65, down 2.03% in the past 24 hours.The token rebounded...

Russia Delays Digital Ruble Launch to September 2026 After Pushback

The Bank of Russia has proposed delaying its digital ruble rollout to September 1,...

DOT Miners Attracts Investors With Regulated Passive Crypto Income

DOT Miners offers a cloud mining platform enabling users to earn steady Passive income...

Cloudbet Expands Crypto Crash Game Portfolio With Galaxsys

Willemstad, Curaçao – June 26, 2025 – Cloudbet has added the full suite of...

Coinbase to Launch US-Regulated Bitcoin, Ether Perpetual Futures

Coinbase will launch U.S.-regulated perpetual-style futures for Bitcoin and Ether on July 21.The move...

Must Read

The 10 Best Crypto Podcasts You Can’t Miss

Table of ContentsBest Cryptocurrency Podcasts To Add To Your Playing List1. The Money Movement2. The Crypto Conversation3. The Pomp Podcast4. What Bitcoin Did5. The...