Security Experts Blast Top of Mobile Wallet App Scam Targeting Chinese Users

Cybersecurity researchers from Slovakian cybersecurity firm ESET have peeled back the layers of a sophisticated cryptocurrency scam targeting Chinese users.

Scammers have created counterfeit legitimate Android and iOS digital wallet apps to redirect cryptocurrency funds. “These malicious apps were able to steal victims’ passphrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket or OneKey,” reported Lukáš Štefanko, senior researcher at Slovak cybersecurity firm ESET. Trojan apps targeted Android users without a genuine app. On the other hand, iOS users might have installed genuine and counterfeit apps.

Counterfeit wallet services were promoted through fake wallet websites targeting Chinese users and recruiting intermediaries through Telegram and Facebook groups to trick visitors into downloading the app.

When did it start?

Investigations beginning in May 2021 uncovered a single criminal group as individuals responsible for creating “Trojan horse” wallet services that copied the functionality of the original apps, incorporating malicious code responsible for redirecting assets cryptographic. The malicious code was injected into the app in places that would escape a superficial examination.

“These malicious applications also pose another threat to victims, as some of them send victims’ passphrases to the attackers’ server using an insecure HTTP connection,” Štefanko said. This presents a secondary threat since other criminals listening to this insecure link could steal the key phrases.

Hacking can spread, warns expert

ESET found several groups promoting the Trojan apps on Telegram, the messaging app and sharing them on 56 Facebook groups. All communication on Telegram groups was in Chinese. People promoting these apps were promised a 50% cut of stolen crypto.

The fake iOS apps were not available on Apple’s App Store but rather via malicious sites and used configuration profiles not authorized by Apple. Thirteen fake Android apps posing as Jaxx Liberty Wallet on the Google Play Store were removed from the market in January 2022, not before being installed more than 1,000 times. Štefanko said the apps attempted to steal the user’s recovery seed phrase and then forwarded it to a server or Telegram group.

ESET warns users of the possibility that the hack affects other parts of society. “Furthermore, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread this threat even further,” Štefanko added.

What do you think of this subject? Write to us and tell us!


All information contained on our website is published in good faith and for general information purposes only. Any action the reader takes on the information found on our website is strictly at their own risk.

Casey J. Nelson