Confiant, an advertising security agency, has found a cluster of malicious activity involving distributed wallet apps, allowing hackers to steal private seeds and acquire the funds of users via backdoored imposter wallets. The apps are distributed via cloning of legitimate sites, giving the appearance that the user is downloading an original app.
Malicious Cluster Targets Web3 Wallets Like Metamask
Hackers are getting more and more creative when designing attacks to take advantage of cryptocurrency users. Confident, a company dedicated to examining the quality of advertisements and the security threats they could pose to Internet users, has warned of a new type of attack affecting users of popular Web3 wallets like Metamask and Coinbase Wallet.
The cluster, that was identified as “Seaflower,” was qualified by Confiant as one of the most sophisticated attacks of its kind. The report states that common users cannot detect these apps, as they are virtually identical to the original apps, but have a different codebase that allows hackers to steal the seed phrases of the wallets, giving them access to the funds.
Distribution and recommendations
The report revealed that these apps are mostly distributed outside of regular app stores, via links found by users in search engines such as Baidu. Investigators claim that the cluster must be of Chinese origin due to the languages in which the code comments are written and other things such as the location of the infrastructure and the services used.
The links of these apps reach popular places in search sites due to the intelligent handling of SEO optimizations, allowing them to rank high and fooling users into believing they are accessing the real site. The sophistication in these apps comes down to the way in which the code is hidden, obfuscating much of how this system works.
The spoofed application sends seed phrases to a remote location at the same time it is built, and this is the main attack vector for the Metamask impostor. For other wallets, Seaflower also uses a very similar attack vector.
Experts further made a series of recommendations when it comes to keeping wallets in devices secure. These backdoored applications are only being distributed outside app stores, so Confiant advises users to always try to install these apps from official stores on Android and iOS.
