Friday, December 6, 2024
HomeCyber Security NewsChinese Hackers Install Backdoors in iOS/Android Web3 Wallets

Chinese Hackers Install Backdoors in iOS/Android Web3 Wallets

Published on

SIEM as a Service

A highly sophisticated threat actor has been observed targeting Android and iOS users in an attempt to spread backdoored apps filled with malicious code designed to drain users’ funds.

Digital advertising security company Confiant has uncovered and reported on this previously unreported campaign, which it has dubbed SeaFlower.

This malicious campaign is replicated from websites that mimic the official or legit cryptocurrency wallet websites (Web3 wallets).

- Advertisement - SIEM as a Service

Apps Targeted

At the moment the hackers are targeting primarily iOS and Android apps like:-

  • Coinbase Wallet
  • MetaMask Wallet
  • TokenPocket
  • imToken

Modus operandi

There is no evidence of a compromise of these apps by the attackers, instead, they create malicious versions of these apps that include their own backdoors. 

Malicious versions of these wallet apps combine the wallet’s legitimate functionalities with the functionality of stealing a user’s seed phrase through which they can then leverage the stolen cryptocurrency of their victims.

A cluster of activity involving SeaFlower was first discovered in March 2022. While the following things that we have mentioned below are the indicators that helped the security experts with detection:-

  • macOS usernames
  • Original code comments within the backdoor
  • Misuse of Alibaba’s CDN

In the past few months, the attackers have created websites in order to distribute fake applications. They have created clones of the legit website of the app they are trying to distribute.

Apart from this, Baidu and other Chinese search engines are primarily targeted in an attempt to lure potential victims to this site with search engine poisoning.

Further Analysis

In addition to targeting iOS users, the malicious action targets them by exploiting the provisioning profiles of iOS devices. In short, SeaFlower uses provisioning profiles when it comes to iOS. 

Aside from being sideloaded on the victim’s device, the iOS apps of the malware are also installed on it. Moreover, Apple has already revoked the developer IDs associated with these profiles after Confiant informed it about them. 

In this particular case, the investigation has revealed that this malicious campaign has been carried out by the Chinese threat actors due to a variety of factors. While here below we have mentioned the key factors that indicate the threat actors behind this campaign are Chinese threat actors:- 

  • Use of Chinese names as usernames
  • Chinese Source code comments
  • Abuse of legit Chinese search engines
  • Use of Chinese infrastructure

There is increasing attention paid by threat actors to Web3 platforms, as this revelation shows how increasingly they are using them as attack targets. By doing so, the threat actors will be able to deceitfully transfer virtual funds and steal sensitive information.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...