Malware named “clipper” was found on Google Play on January 8, 2019. The malware hijacks contents on clipboards and replaces them with contents owned by the attackers. Under cryptocurrency transactions, users may replace copied wallet addresses with addresses owned by the attackers unintentionally.
Generally, address of online cryptocurrency is consisted of long strings due to safety reasons. As a result, people tend to use clipboards to copy and paste the addresses instead of keying in them into the address bar, which has been used as a loophole by clipper malware. It disguised itself as an innocent app to fool people into downloading it, then began redirecting cryptocurrency funds to the malware’s author.
This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018. In February 2019, we discovered a malicious clipper on Google Play, the official Android app store.
Although relatively new, cryptocurrency hacking that rely on altering the clipboard’s content can be considered established malware. ESET researchers even discovered one hosted on download.cnet.com, one of the most popular software-hosting sites in the world. In August 2018, the first Android Clipper was discovered being sold on underground hacking forums. Since then, this malware has been detected in several shady app stores.
But what is clipper malware, how does it work, and how can you avoid an attack? In this article we will completely answer these questions.
What Is Clipper Malware?
Clipper malware targets cryptocurrency wallet addresses during a transaction. A wallet address is like the cryptocurrency version of a bank account number. If you want someone to pay you in cryptocurrency, you give them your wallet address and the payee enters it into their payment details.
Clipper malware hijacks a cryptocurrency transaction by swapping a wallet address with one owned by the malware author. When the user goes to make a payment from their cryptocurrency account, they end up paying the malware author instead of their intended recipient.
This can cause some serious financial damage if the malware manages to hijack a high-value transaction.
How Does It Work?
Clipper malware performs this swap by monitoring the clipboard of the infected device, where copied data is stored. Every time the user copies data, the clipper checks it to see if it contains any cryptocurrency wallet addresses. If it does, the malware swaps it out with the malware author’s address.
Now, when the user goes to paste the address, they will end up pasting the hijacked address instead of the legitimate one.
Clipper malware exploits the complicated nature of wallet addresses. These are long strings of numbers and letters that are seemingly chosen at random. Unless a user has used a wallet address multiple times, there is very little chance that they will notice that it has been swapped.
Even worse, its complexity means people are far more likely to copy and paste the address exactly what the clipper malware wants!
How Long Has It Been Around?
Clipper malware, by itself, is nothing new. It entered the scene around 2017, and mainly focused on Windows-based machines. Since then, clipper malware for Android has been developed and sold on the black market, and infected apps could be found on shady sites.
Such sites were the staging ground for the 2016 Gooligan malware, which infected 1 million devices.
This is the first instance of an app on the official Google Play store being infected with clipper malware. Successfully uploading an infected app to the official store is every malware distributor’s dream scenario. An app on the Google Play store carries a certain air of authenticity, making it more trustworthy than apps found on a random website.
This means people typically download and install apps from the store without question, which is exactly what malware authors want.
Which Apps Contained Clipper Malware?
The clipper malware dwelled within an app called MetaMask. It is a real service that enables browser-based distributed applications for the cryptocurrency Ethereum. MetaMask doesn’t have an official Android app yet. Therefore the malware authors capitalized on this to make people think it did.
This phony MetaMask app did more than swap out cryptocurrency addresses in the clipboard. It also asked for the user’s Ethereum details as part of a fake account set-up. Once the unsuspecting user had entered the details, the malware authors had all the information they need to log into the account and drain it for themselves.
Fortunately, a security firm discovered clipper malware before it did too much damage. The fake MetaMask app was uploaded on February 1st 2019, and was reported and removed just over a week later.
The Rise in Cryptocurrency Attacks
While this attack vector is new, it doesn’t come as too much of a surprise. Cryptocurrencies are very big business these days, and with it comes the potential to make a large amount of money. While most people are satisfied with making money via legal means, there will always be some that seek to exploit others instead.
Cryptojackers are a favorite of malware authors around the globe. These hijack a device’s processor to make it mine cryptocurrency for the author, preferably without the end-user even noticing.
Much like this clipper malware example, security firms found cryptojackers infecting apps on the Google Play store. As such, this may be just the start of cryptocurrency-based malware attacking users on Android phones.
How to Avoid a Clipper Malware Attack?
This may sound very scary, but avoiding a clipper malware attack is quite simple. Clipper malware depends on the user being ignorant of its existence and ignoring the warning signs. Learning about how clipper malware works is a big step toward defeating it. Actually, by reading this article, you have already done 90 percent of the work!
First, always make sure you download apps from the Google Play store. While Google Play is not perfect, it’s a lot safer than shady sites on the internet. Try to avoid sites that act as a “third-party store” for Android, as these are far more likely to contain malware than Google Play.
When downloading apps on Google Play, double-check the app’s total downloads before installing. If an app hasn’t been around for long and has a low download count, downloading it could be risky. Likewise, if the app claims it is the mobile version of a popular service, double-check the developer name.
If the name differs (even slightly) from the official developer’s name, it is a big warning sign that something is wrong.
Even if your phone does get infected with clipper malware, you can avoid an attack by being careful. Double-check any wallet addresses that you paste to ensure it hasn’t changed mid-way through. If the address you paste is different to the one you copied, clipper malware is lurking on your system. Do a full virus scan and delete any shady apps you may have installed recently.
To stay safe from clippers and other Android malware, we advise you to:
- Keep your Android device updated and use a reliable mobile security solution.
- Stick to the official Google Play store when downloading apps.
- However, always check the official website of the app developer or service provider for the link to the official app. If there is not one, consider it a red flag and be extremely cautious to any result of your Google Play search
- Double-check every step in all transactions that involve anything valuable, from sensitive information to money. When using the clipboard, always check if what you pasted is what you intended to enter.
The Bottom Line
Clipper malware can be devastating for anyone who handles large amounts of cryptocurrency. The complicated nature of wallet addresses, combined with a typical user’s tendency to copy and paste, gives clipper malware a window of opportunity to strike.
Many people may not even realize what they are doing until it is too late!
Fortunately, defeating clipper malware is simple. Never download suspicious apps, and double-check all wallet links before confirming a transaction.