Cybercriminals in search of fast money have taken to the Google Play Store in hopes of misdirecting transfers made on Android smartphones, according to research from security firm ESET.

The malware–since removed from Google Play Store–impersonates the legitimate MetaMask service. When installed, it silently replaces online cryptocurrency wallet addresses copied to the system clipboard to one controlled by the criminals who created the malware, as well as steals credentials to gain control over the victim’s Ethereum funds.

SEE: Hiring kit: Android developer (Tech Pro Research)

This attack style is effective, as cryptocurrency wallet IDs rely on strings of random characters which are time consuming or otherwise impractical to type manually.

According to ESET, the fake MetaMask app was uploaded on February 1, with Google removing it shortly after discovery. The real MetaMask is used to run Ethereum-based decentralized apps in a browser, but MetaMask does not offer a mobile app.

This is not the first time Clipper malware variants have been spotted, though it is the first time they have been found in the Google Play Store. Clipper payloads have been available on Dark Web marketplaces since at least August 2018, appearing periodically in what ESET characterizes as “several shady app stores” for Android. Variants of clipper first appeared in 2017 on Windows.

How to avoid clippers and other Android malware

Avoiding Android malware is relatively straightforward for informed consumers. Using only the official Google Play Store to download apps is a great first defense in most cases. Using other app stores requires explicitly disabling a security setting in Android. This can leave your device vulnerable.

That said, in cases like this where cybercriminals have permeated the Google Play Store, it is important to check the publisher’s website to ensure the app is genuine. In the case of MetaMask, as there is no Android (or iOS) version, that should be taken as a sign that the app is not genuine.

When copying and pasting account information, ensure that the pasted data matches the copied data, to prevent from falling victim to Clipper-style attacks.

Additionally, using a mobile security application can also protect you from malware and viruses.

The big takeaways for tech leaders:

  • Clipper malware was discovered in the Google Play Store for the first time, altering clipboard data when users copy and paste cryptocurrency wallet strings.
  • The real MetaMask is used to run Ethereum-based decentralized apps in a browser, but MetaMask does not offer a mobile app.