Hackers Are Using Clipper Malware to Steal Bitcoin from Users

A security expert Lukas Stefanko, announced in February that hackers are using apps concealed as legitimate cryptocurrency apps to steal coins of users.

In a blog post titled “First Clipper Malware discovered on Google Play” the researcher stated that the clipper malware takes advantage of the process of copying and pasting a public address to change the payment destination to that of the hacker.

In a related post, a BitcoinTalk user stated that the malware changes the address to an address owned by the hacker after the user had selected a Bitcoin address, and pressed CTRL-C to copy it. They lose the fund they send when they press CTRL-V (paste) because unknown to them, the malware has already changed the address to that of the fraudster.

According to them,

“Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won’t notice the address was changed.”

Highlighting on the clipper malware, Stefanko said,

“This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018. In February 2019, we discovered a malicious clipper on Google Play, the official Android app store.”

He said that even though this is a relatively new malware, its rate of proliferation is a cause for concern and that even prominent software hosting sites such as download.cnet.com has been found to harbor apps injected with it.

The clipper found at the Google Play Store was designed to impersonate MetaMask. Users who downloaded this app would be at risk of having their ether stolen.

A Victim’s Experience

Here’s the experience of a victim of the Clipper hack which has been edited because he’s not a native English speaker.

“I felt something weird like 3 hours ago when my friend sent me his bitcoin wallet to send him around $1k for his services, so what I did, I came online [and] quickly copied his Bitcoin address quickly pasted it in the blockchain send form, wrote 1000, then I hit send from then I went offline I came back He was like ‘nothing was received’ I checked his bitcoin address and nothing was there, I checked my online wallet and I found out that it was sent to a different Bitcoin address with the same first words 9characters)!
“14wEFYsvqiTDXA6ru9rV6xiS1gkxHTioVy” the address I wanted to send to, I’m sure I copied & pasted it I am 100% sure now I see that the bitcoins are sent to different wallet which “14wEycrQ2eb1DAbh51z4oQ3AYCA12Qeitm” Now the bitcoins are lost, because the guy claims it’s not his address.”

How To Avoid Clipper Malware

On how to prevent this, security experts say that cryptocurrency users should always check the entire string of wallet address before hitting the send button. This means checking every character in the address to make sure that there is no difference between the address on the wallet and the one the intended recipient sent.

They also warned about using Windows software and recommended Linux. Advising a victim of the hack, Jet Cash wrote:

“Don’t reinstall your OS – switch to Linux. Mint is fairly close to Windows if you are not familiar with Linux.
Windows 10 includes Cortana, which cannot be removed. This is a keyboard logger ( amongst other things ), and stores all of your info and communications in the Microsoft cloud.”

Other preventive measures suggested include manually typing some of the characters of the address and double-checking to make sure that there is no mistake.

Aside double-checking every step of the transaction and avoid downloading apps from sources other than the official Google Play store, Stefanko advised regular update of Android devices and the use of mobile security applications. It is also important that users of apps check to see that the official website of the developer is linked. Absence of this should be a red sign that they’re dealing with possible malicious players.

Use copy/paste to verify part of your address. Suppose you want to send funds to address 1PjpEgknyKxQKXtMcYFDym8odkfohFGkui. After copy/pasting, select “yKxQKXtMc” from the pasted address, then press CTRL-C. Then, use CTRL-F followed by CTRL-V to see if the partial address matches the original source of the address. And make sure the source is authentic: email can be spoofed too!

I’ll add o_e_l_e_o’s suggestion here:

“Any time I am sending coins from any wallet I physically place the address I know is correct directly from the source, right next to the address I have entered to send to. That usually means either holding my hardware wallet or phone up next to my computer screen, or resizing two windows on my phone or computer to put the two address physically right next to each other. Once you have two addresses which are less than inch apart, it’s very easy to check the entire address and not just a few characters at the start or end.”

-LoyceV BTT user


Author: Jofor Humani

Jofor is a crypto journalist with passion for investigative review of projects with the aim to determine the authenticity of their claims.

Leave a Reply