Thursday, April 17, 2025
HomeCyber Security NewsChinese Hackers Install Backdoors in iOS/Android Web3 Wallets

Chinese Hackers Install Backdoors in iOS/Android Web3 Wallets

Published on

SIEM as a Service

Follow Us on Google News

A highly sophisticated threat actor has been observed targeting Android and iOS users in an attempt to spread backdoored apps filled with malicious code designed to drain users’ funds.

Digital advertising security company Confiant has uncovered and reported on this previously unreported campaign, which it has dubbed SeaFlower.

This malicious campaign is replicated from websites that mimic the official or legit cryptocurrency wallet websites (Web3 wallets).

- Advertisement - Google News

Apps Targeted

At the moment the hackers are targeting primarily iOS and Android apps like:-

  • Coinbase Wallet
  • MetaMask Wallet
  • TokenPocket
  • imToken

Modus operandi

There is no evidence of a compromise of these apps by the attackers, instead, they create malicious versions of these apps that include their own backdoors. 

Malicious versions of these wallet apps combine the wallet’s legitimate functionalities with the functionality of stealing a user’s seed phrase through which they can then leverage the stolen cryptocurrency of their victims.

A cluster of activity involving SeaFlower was first discovered in March 2022. While the following things that we have mentioned below are the indicators that helped the security experts with detection:-

  • macOS usernames
  • Original code comments within the backdoor
  • Misuse of Alibaba’s CDN

In the past few months, the attackers have created websites in order to distribute fake applications. They have created clones of the legit website of the app they are trying to distribute.

Apart from this, Baidu and other Chinese search engines are primarily targeted in an attempt to lure potential victims to this site with search engine poisoning.

Further Analysis

In addition to targeting iOS users, the malicious action targets them by exploiting the provisioning profiles of iOS devices. In short, SeaFlower uses provisioning profiles when it comes to iOS. 

Aside from being sideloaded on the victim’s device, the iOS apps of the malware are also installed on it. Moreover, Apple has already revoked the developer IDs associated with these profiles after Confiant informed it about them. 

In this particular case, the investigation has revealed that this malicious campaign has been carried out by the Chinese threat actors due to a variety of factors. While here below we have mentioned the key factors that indicate the threat actors behind this campaign are Chinese threat actors:- 

  • Use of Chinese names as usernames
  • Chinese Source code comments
  • Abuse of legit Chinese search engines
  • Use of Chinese infrastructure

There is increasing attention paid by threat actors to Web3 platforms, as this revelation shows how increasingly they are using them as attack targets. By doing so, the threat actors will be able to deceitfully transfer virtual funds and steal sensitive information.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Managing Burnout in the SOC – What CISOs Can Do

The Security Operations Center (SOC) is the nerve center of modern cybersecurity, responsible for...

The Future of Cybersecurity Talent – Trends and Opportunities

The cybersecurity landscape is transforming rapidly, driven by evolving threats, technological advancements, and a...

Mobile Security – Emerging Risks in the BYOD Era

The rise of Bring Your Own Device (BYOD) policies has revolutionized workplace flexibility, enabling...

Model Context Protocol Flaw Allows Attackers to Compromise Victim Systems

A critical vulnerability in the widely adopted Model Context Protocol (MCP), an open standard...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

The Future of Cybersecurity Talent – Trends and Opportunities

The cybersecurity landscape is transforming rapidly, driven by evolving threats, technological advancements, and a...

Mobile Security – Emerging Risks in the BYOD Era

The rise of Bring Your Own Device (BYOD) policies has revolutionized workplace flexibility, enabling...

Model Context Protocol Flaw Allows Attackers to Compromise Victim Systems

A critical vulnerability in the widely adopted Model Context Protocol (MCP), an open standard...