The compromised apps acted as a cover for the extremely intrusive ElectroRAT malware, researchers said
Cybersecurity experts from security firm Intezer Labs have discovered at least three cryptocurrency-related apps that have been part of a year-long malware operation aimed at stealing crypto directly from users’ wallets. Two of the three apps–Jamm and eTrade/Kintum are bogus trading apps while the third app, DaoPoker, lures users through its gambling associations.
The sky-rocketing crypto prices have garnered significant attention from new investors leading to heightened activity among hackers and malicious actors seeking financial gains. Researchers have reported that the malware which targeted crypto users through the creation of several fake apps has been disseminated over the past year and was detected only last month.
Dubbed ElectroRAT, the new remote access trojan (RAT) has contributed to robbing cryptocurrency from the wallets of at least thousands of Windows, macOS and Linux users, the report added.
The fake apps were hosted on their own websites and acted as a cover for the extremely intrusive ElectroRAT malware, the report said. “It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console”, it explained.
Once downloaded and launched, the compromised app presents a foreground user interface designed to divert attention from and avoid suspicion of the malicious background processes. The apps lured in victims by actively promoting themselves on various social media platforms including Twitter and Telegram. Further, the apps were also endorsed on cryptocurrency forums like Bitcointalk.
The year-old campaign has already infected “thousands of victims” before being discovered. The security firm added that there was evidence of some victims of the fake apps using MetaMask and other such popular crypto wallets.
Explaining how the phoney apps managed to stay afloat for so long, Intezer stated that the malware was written in a multi-platform programming language called Golang, making it harder to detect. It added that it was also unusual for a RAT designed to steal sensitive personal information from crypto users being written from scratch.
“It is even rarer to see such a wide-ranging and targeted campaign that includes various components such as fake apps and websites, and marketing/promotional efforts via relevant forums and social media”, the researchers added.
The issue of fake apps conning crypto users is not new. In 2020, several cases where thousands of customers were duped by fake versions of legitimate apps and browser extensions such as MetaMask or Ledger were reported.