A highly sophisticated threat actor has been observed targeting Android and iOS users in an attempt to spread backdoored apps filled with malicious code designed to drain users’ funds.
Digital advertising security company Confiant has uncovered and reported on this previously unreported campaign, which it has dubbed SeaFlower.
This malicious campaign is replicated from websites that mimic the official or legit cryptocurrency wallet websites (Web3 wallets).
At the moment the hackers are targeting primarily iOS and Android apps like:-
There is no evidence of a compromise of these apps by the attackers, instead, they create malicious versions of these apps that include their own backdoors.
Malicious versions of these wallet apps combine the wallet’s legitimate functionalities with the functionality of stealing a user’s seed phrase through which they can then leverage the stolen cryptocurrency of their victims.
A cluster of activity involving SeaFlower was first discovered in March 2022. While the following things that we have mentioned below are the indicators that helped the security experts with detection:-
In the past few months, the attackers have created websites in order to distribute fake applications. They have created clones of the legit website of the app they are trying to distribute.
Apart from this, Baidu and other Chinese search engines are primarily targeted in an attempt to lure potential victims to this site with search engine poisoning.
In addition to targeting iOS users, the malicious action targets them by exploiting the provisioning profiles of iOS devices. In short, SeaFlower uses provisioning profiles when it comes to iOS.
Aside from being sideloaded on the victim’s device, the iOS apps of the malware are also installed on it. Moreover, Apple has already revoked the developer IDs associated with these profiles after Confiant informed it about them.
In this particular case, the investigation has revealed that this malicious campaign has been carried out by the Chinese threat actors due to a variety of factors. While here below we have mentioned the key factors that indicate the threat actors behind this campaign are Chinese threat actors:-
There is increasing attention paid by threat actors to Web3 platforms, as this revelation shows how increasingly they are using them as attack targets. By doing so, the threat actors will be able to deceitfully transfer virtual funds and steal sensitive information.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Sonatype, the company behind the popular Nexus Repository Manager, has issued security advisories addressing two…
Cybersecurity researchers have detected the active exploitation of a zero-day vulnerability in GeoVision devices, which…
A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…
SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…
The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…
Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…