On January 8, 2019, we saw the first instance of “clipper malware” on the Google Play store. It disguised itself as an innocent app to fool people into downloading it, then began redirecting cryptocurrency funds to the malware’s author.
But what is clipper malware, how does it work, and how can you avoid an attack?
What Is Clipper Malware?
Clipper malware targets cryptocurrency wallet addresses during a transaction. A wallet address is like the cryptocurrency version of a bank account number. If you want someone to pay you in cryptocurrency, you give them your wallet address and the payee enters it into their payment details.
You can learn more about how cryptocurrency works in our handy guide.
Clipper malware hijacks a cryptocurrency transaction by swapping a wallet address with one owned by the malware author. When the user goes to make a payment from their cryptocurrency account, they end up paying the malware author instead of their intended recipient.
This can cause some serious financial damage if the malware manages to hijack a high-value transaction.
How Clipper Malware Works
Clipper malware performs this swap by monitoring the clipboard of the infected device, where copied data is stored. Every time the user copies data, the clipper checks it to see if it contains any cryptocurrency wallet addresses. If it does, the malware swaps it out with the malware author’s address.
Now, when the user goes to paste the address, they’ll end up pasting the hijacked address instead of the legitimate one.
Clipper malware exploits the complicated nature of wallet addresses. These are long strings of numbers and letters that are seemingly chosen at random. Unless a user has used a wallet address multiple times, there’s very little chance that they’ll notice that it’s been swapped.
Even worse, its complexity means people are far more likely to copy and paste the address—exactly what the clipper malware wants!
How Long Has It Been Around?
Clipper malware, by itself, is nothing new. It entered the scene around 2017, and mainly focused on Windows-based machines. Since then, clipper malware for Android has been developed and sold on the black market, and infected apps could be found on shady sites.
Such sites were the staging ground for the 2016 Gooligan malware, which infected 1 million devices.
This is the first instance of an app on the official Google Play store being infected with clipper malware. Successfully uploading an infected app to the official store is every malware distributor’s dream scenario. An app on the Google Play store carries a certain air of authenticity, making it more trustworthy than apps found on a random website.
This means people typically download and install apps from the store without question, which is exactly what malware authors want.
Which Apps Contained Clipper Malware?
The First Android cryptocurrency clipboard exchanger found on Google Play.
Its goal is to change copied address of cryptocurrency wallet of recipient for the attacker's.
— Lukas Stefanko (@LukasStefanko) February 8, 2019
The clipper malware dwelled within an app called MetaMask. It’s a real service that enables browser-based distributed applications for the cryptocurrency Ethereum. MetaMask doesn’t have an official Android app yet, so the malware authors capitalized on this to make people think it did.
This phony MetaMask app did more than swap out cryptocurrency addresses in the clipboard. It also asked for the user’s Ethereum details as part of a fake account set-up. Once the unsuspecting user had entered the details, the malware authors had all the information they need to log into the account and drain it for themselves.
Fortunately, a security firm discovered clipper malware before it did too much damage. The fake MetaMask app was uploaded on February 1st 2019, and was reported and removed just over a week later.
The Rise in Cryptocurrency Attacks
While this attack vector is new, it doesn’t come as too much of a surprise. Cryptocurrencies are very big business these days, and with it comes the potential to make a large amount of money. While most people are satisfied with making money via legal means, there will always be some that seek to exploit others instead.
Cryptojackers are a favorite of malware authors around the globe. These hijack a device’s processor to make it mine cryptocurrency for the author, preferably without the end-user even noticing.
Much like this clipper malware example, security firms found cryptojackers infecting apps on the Google Play store. As such, this may be just the start of cryptocurrency-based malware attacking users on Android phones.
How to Avoid a Clipper Malware Attack
This may sound very scary, but avoiding a clipper malware attack is quite simple. Clipper malware depends on the user being ignorant of its existence and ignoring the warning signs. Learning about how clipper malware works is a big step toward defeating it. By reading this article, you’ve already done 90 percent of the work!
First, always make sure you download apps from the Google Play store. While Google Play is not perfect, it’s a lot safer than shady sites on the internet. Try to avoid sites that act as a ‘third-party store’ for Android, as these are far more likely to contain malware than Google Play.
When downloading apps on Google Play, double-check the app’s total downloads before installing. If an app hasn’t been around for long and has a low download count, downloading it could be risky. Likewise, if the app claims it’s the mobile version of a popular service, double-check the developer name.
If the name differs (even slightly) from the official developer’s name, it’s a big warning sign that something is wrong.
Even if your phone does get infected with clipper malware, you can avoid an attack by being careful. Double-check any wallet addresses that you paste to ensure it hasn’t changed mid-way through. If the address you paste is different to the one you copied, clipper malware is lurking on your system.
Do a full virus scan and delete any shady apps you may have installed recently.
Clipping the Wings of Clipper Malware
Clipper malware can be devastating for anyone who handles large amounts of cryptocurrency. The complicated nature of wallet addresses, combined with a typical user’s tendency to copy and paste, gives clipper malware a window of opportunity to strike.
Many people may not even realize what they’re doing until it’s too late!
Fortunately, defeating clipper malware is simple. Never download suspicious apps, and double-check all wallet links before confirming a transaction.
Concerned about malware on your mobile device? Here’s how to enhance your smartphone security and beat mobile malware.