Friday, April 19, 2024

Chinese Hackers Install Backdoors in iOS/Android Web3 Wallets

A highly sophisticated threat actor has been observed targeting Android and iOS users in an attempt to spread backdoored apps filled with malicious code designed to drain users’ funds.

Digital advertising security company Confiant has uncovered and reported on this previously unreported campaign, which it has dubbed SeaFlower.

This malicious campaign is replicated from websites that mimic the official or legit cryptocurrency wallet websites (Web3 wallets).

Apps Targeted

At the moment the hackers are targeting primarily iOS and Android apps like:-

  • Coinbase Wallet
  • MetaMask Wallet
  • TokenPocket
  • imToken

Modus operandi

There is no evidence of a compromise of these apps by the attackers, instead, they create malicious versions of these apps that include their own backdoors. 

Malicious versions of these wallet apps combine the wallet’s legitimate functionalities with the functionality of stealing a user’s seed phrase through which they can then leverage the stolen cryptocurrency of their victims.

A cluster of activity involving SeaFlower was first discovered in March 2022. While the following things that we have mentioned below are the indicators that helped the security experts with detection:-

  • macOS usernames
  • Original code comments within the backdoor
  • Misuse of Alibaba’s CDN

In the past few months, the attackers have created websites in order to distribute fake applications. They have created clones of the legit website of the app they are trying to distribute.

Apart from this, Baidu and other Chinese search engines are primarily targeted in an attempt to lure potential victims to this site with search engine poisoning.

Further Analysis

In addition to targeting iOS users, the malicious action targets them by exploiting the provisioning profiles of iOS devices. In short, SeaFlower uses provisioning profiles when it comes to iOS. 

Aside from being sideloaded on the victim’s device, the iOS apps of the malware are also installed on it. Moreover, Apple has already revoked the developer IDs associated with these profiles after Confiant informed it about them. 

In this particular case, the investigation has revealed that this malicious campaign has been carried out by the Chinese threat actors due to a variety of factors. While here below we have mentioned the key factors that indicate the threat actors behind this campaign are Chinese threat actors:- 

  • Use of Chinese names as usernames
  • Chinese Source code comments
  • Abuse of legit Chinese search engines
  • Use of Chinese infrastructure

There is increasing attention paid by threat actors to Web3 platforms, as this revelation shows how increasingly they are using them as attack targets. By doing so, the threat actors will be able to deceitfully transfer virtual funds and steal sensitive information.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Alert! Windows LPE Zero-day Exploit Advertised on Hacker Forums

A new zero-day Local Privilege Escalation (LPE) exploit has been put up for sale...

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles