Researchers have disclosed a large-scale campaign, dubbed SeaFlower, using the cloned apps of cryptocurrency wallets such as MetaMask, Coinbase, imToken, and TokenPocket services.
The SeaFlower operation
Researchers from Confiant identified the campaign in March and tracked the activity as SeaFlower. Further, the activity is described as a technically sophisticated threat targeting web3 users.
- The malicious cryptocurrency apps are the same as real ones. However, these fake apps come with a backdoor that can steal users' security phrases for accessing digital assets.
- Researchers disclosed that the attackers had planted backdoors code in these apps. The backdoor code steals seed phrases and sends them to domains mimicking the legitimate vendors.
- The attackers seem to be Chinese, according to hints such as the language of the comments in source code, frameworks, infrastructure location, and used services.
Propagation techniques
- As per reports, the primary channel for distribution is search services. It is surmised that hackers are also promoting it via social media, forums, and malvertising.
- Moreover, the trojanized apps spread via fake websites of crypto wallets, and black SEO and SEO poisoning techniques.
- The search results from the Baidu engine are the most impacted by the SeaFlower operation.
- On iOS, the sites abuse provisioning profiles to side-load the malicious apps to bypass security protections.
What to do?
To stay protected against such threats, cryptocurrency users should always download wallet apps from trusted sources. iOS users should not install provisioning profiles without checking the legitimacy of the requests, because these profiles allow installations of any app on macOS or iOS.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d2fc_shutterstock_1780692080_1.png)
/https://cyware-ent.s3.amazonaws.com/image_bank/713d_shutterstock_1077998936.jpg)
