First CryptoCurrency Clipboard Hijacker Found on Google Play Store

- Advertisement -

Researchers last week found the first Android app on the Google Play store that monitors a device’s clipboard for Bitcoin and Ethereum addresses and swaps them for addresses under the attacker’s control. This allows the attackers to steal any payments you make without your knowledge that you sent it to the wrong address.

A malicious Android app called MetaMask was added to the Google Play store that pretended to be a mobile version of the legitimate service of the same name.  This app, though, was detected by ESET as malicious and when ESET Android security researcher Lukas Stefanko performed an analysis, it was discovered to be stealing a user’s cryptocurrency using two different attack methods.

The first attack method the app used was to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. When BleepingComputer analyzed the app’s APK file, we found that the app contains information that can be used to send this stolen data to a Telegram account.

Telegram Message Info
Telegram Message Info

Once a private key is entered, the app will combine the above information information along with the stolen private key and send it via Telegram to the attackers.  Stefanko confirmed that the attackers were using Telegram to receive the stolen keys and seeds.

Sending the stolen key via Telegram
Sending the stolen key via Telegram

The second attack method discovered by Stefanko was to monitor the device’s clipboard for Ethereum and Bitcoin addresses, and if one is detected, swap it out with a different address under the attacker’s control. As cryptocurrency addresses are composed of a long string of numbers and characters, it is hard to memorize them. Knowing this, attackers can swap a desired address with one under their control and have little chance of being detected.

- Advertisement -
Swapping Bitcoin and Ethereum addresses in clipboard
Swapping Bitcoin and Ethereum addresses in clipboard

When replacing addresses in the clipboard, the program will swap out a Bitcoin address with 17M66AG2uQ5YZLFEMKGpzbzh4F1EsFWkmA and an Ethereum address with 0xfbbb2EF692B5101f16d3632f836461904C761965.

Clipboard monitoring is not new and this attack method has been seen it numerous times already in Windows malware, browser extensions, and being sold on underground markets for Android. This is the first time, according to Stefanko, that one was detected on the Google Play store.

Thankfully, this particular app was not widespread and only had five installs. Stefanko told BleepingComputer that this was most likely because it was detected and reported only a few days after being uploaded to the Google Play store.

- Advertisement -



Previous Articles:

- Advertisement -

Latest News

Singapore Fines UBS, Citi, Others $21.5M in Money Laundering Scandal

Singapore fined nine financial firms $21.5 million in connection with a major money laundering...

Valhil Capital Predicts XRP Could Hit $4,813 by 2030 Amid Adoption

Valhil Capital projects XRP could reach a fair market value of $4,813 to $9,000...

Hamak Gold to Hold Bitcoin in Treasury, Aims for UK Leadership

Hamak Gold is moving part of its treasury funds into Bitcoin while continuing gold...

Symbolic 200 BRICS Bank Note Unveiled at 2025 Summit Sparks Buzz

A 200-denominated BRICS bank note appeared at the 2025 St. Petersburg forum, generating discussions...

$8.6B Bitcoin Move Sparks New Speculation Over Satoshi’s Identity

Bitcoin saw a record $8.6 billion transferred from dormant wallets in what is called...

Must Read

The Ultimate Guide on How to Understand a Cryptocurrency White Paper

Today, cryptocurrency is a popular buzzword. We hear about it on the news, we read about it on the Internet. Yet, people are reluctant to...