ESET Research uncovers a classy scheme that distributes trojanized Android and iOS apps posing as fashionable cryptocurrency wallets
At the time of penning this blogpost, the value of bitcoin (US$38,114.80) has decreased about 44 p.c from its all-time excessive about 4 months in the past. For cryptocurrency buyers, this is perhaps a time both to panic and withdraw their funds, or for newcomers to leap at this opportunity and purchase cryptocurrency for a cheaper price. If you belong to certainly one of these teams, you need to choose fastidiously which cell app to make use of for managing your funds.
Starting in May 2021, our analysis uncovered dozens of trojanized cryptocurrency pockets apps. We discovered trojanized Android and iOS apps distributed via web sites mimicking reputable providers . These malicious apps had been capable of steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey.
This is a classy assault vector because the malware’s creator carried out an in-depth evaluation of the reputable purposes misused on this scheme, enabling the insertion of their very own malicious code into locations the place it will be laborious to detect whereas additionally ensuring that such crafted apps had the identical performance because the originals. At this level, we imagine that that is the work of 1 particular person attacker or, extra seemingly, one legal group.
The essential objective of those malicious apps is to steal customers’ funds and till now we’ve got seen this scheme primarily focusing on Chinese customers. As cryptocurrencies are gaining recognition, we count on these methods to unfold into different markets. This is additional supported by the general public sharing, in November 2021, of the supply code of the front-end and back-end distribution web site, together with the recompiled APK and IPA recordsdata. We discovered this code on a minimum of 5 web sites, the place it was shared for free, and thus count on to see extra copycat attackers. From the posts we discovered, it’s tough to find out whether or not it was shared deliberately or if it leaked.
These malicious apps additionally symbolize one other menace to victims, as a few of them ship secret sufferer seed phrases to the attackers’ server utilizing an unsecured HTTP connection. This implies that victims’ funds might be stolen not solely by the operator of this scheme, but in addition by a special attacker eavesdropping on the identical community. Besides this cryptocurrency pockets scheme, we additionally found 13 malicious apps impersonating the Jaxx Liberty pockets. These apps had been obtainable on the Google Play retailer, which is proactively protected by the App Defense Alliance, of which ESET is among the scanning companions, previous to apps being listed.
ESET Research recognized over 40 copycat web sites of fashionable cryptocurrency wallets. These web sites goal solely cell customers and provide them the obtain of malicious pockets apps.
We had been capable of hint the distribution vector of those trojanized cryptocurrency wallets again to May 2021 primarily based on the area registration that was supplied for these malicious apps within the wild, in addition to the creation of a number of Telegram teams that began to seek for affiliate companions.
On Telegram, a free and fashionable multiplatform messaging app with enhanced privacy and encryption options, we discovered dozens of such teams selling malicious copies of cryptocurrency cell wallets. We assume these teams had been created by the menace actor behind this scheme on the lookout for additional distribution companions, suggesting choices resembling telemarketing, social media, commercial, SMS, third-party channels, pretend web sites and so on. All these teams had been speaking in Chinese. Based on the data acquired from these teams, an individual distributing this malware is obtainable a 50 p.c fee on the stolen contents of the pockets.
Admins of those Telegram teams posted step-by-step video demonstrations of how these pretend wallets work and the best way to entry them as soon as victims enter their seed phrases, that are a set of phrases that can be utilized to entry one’s cryptocurrency pockets. To illustrate how profitable this malicious scheme is, admins additionally included screenshots from admin panels and pictures of a number of cryptocurrency wallets that they declare belong to them. However, it’s not doable to confirm whether or not the funds proven in these video demonstrations originate from such unlawful actions or are simply bait from recruiters.
Shortly after, beginning in October 2021, we discovered that these Telegram teams had been shared and promoted in a minimum of 56 Facebook teams, with the identical objective – to seek for extra distribution companions.
In November 2021, we noticed the distribution of malicious wallets, utilizing two reputable web sites, focusing on customers in China (yanggan[.]web, 80rd[.]com). On these web sites, within the class “Investment and financial management”, we found as much as six articles selling cell cryptocurrency wallets utilizing copycat web sites, main customers to obtain malicious cell purposes claiming to be reputable and dependable. These posts abuse the names of reputable cryptocurrency wallets resembling imToken, Bitpie, MetaMask, TokenPocket, OneKey, and Trust Wallet.
All posts contained a view counter with publicly obtainable statistics. At the time of our analysis, all of those posts collectively had over 1840 views; nonetheless, it doesn’t imply these articles had been visited that many occasions.
On December tenth, 2021, the menace actor posted an article on a reputable Chinese web site within the Blockchain News class, informing about Beijing’s newest cryptocurrency ban. This ban on cryptocurrency exchanges suspended new registrations of customers in mainland China. The creator of this put up additionally put collectively an inventory of cryptocurrency wallets (not exchanges) to avoid the present ban. The listing recommends utilizing 5 wallets – imToken, Bitpie, MetaMask, TokenPocket, and OneKey. The downside is that the advised web sites should not the official websites for the wallets, however moderately web sites mimicking the reputable providers.
On prime of that, the primary web page of this web site additionally incorporates an commercial for the aforementioned pretend wallets.
Besides these distribution vectors, we found dozens of different counterfeit pockets web sites which can be focusing on cell customers completely. Visiting one of many web sites would possibly lead a possible sufferer to obtain a trojanized pockets app for Android or the iOS platform. The websites themselves weren’t phishing for restoration seeds or cryptocurrency alternate credentials they usually didn’t goal desktop customers or their browsers with the choice to obtain a malicious extension.
Figure 10 reveals the timeline of those occasions.
Differences in conduct on iOS and Android
The malicious app behaves otherwise relying on the working system it was put in on.
On Android, it seems to focus on new cryptocurrency customers who don’t but have a reputable pockets software put in on their gadgets. Trojanized wallets have the identical package deal identify as reputable purposes; nonetheless, they’re signed utilizing a special certificates. This implies that if the official pockets is already put in on an Android smartphone, the malicious app can’t overwrite it as a result of the important thing used to signal the counterfeit app is totally different from the reputable software. That is the usual safety mannequin of Android apps, the place non-genuine variations of an app can’t substitute the unique.
However, on iOS, the sufferer can have each variations put in – the reputable one from the App Store and the malicious one from an internet site – as a result of they don’t share the identical bundle ID.
For Android gadgets, websites supplied the choice to immediately obtain the malicious app from their servers even when the person clicked on the button “Get it on Google Play”. Once downloaded, the app must be manually put in by the person.
Regarding iOS, these malicious apps should not obtainable on the App Store; they have to be downloaded and put in utilizing configuration profiles, which add an arbitrary trusted code-signing certificates. Using these profiles, it’s doable to obtain purposes that aren’t verified by Apple and from sources outdoors the App Store. Apple launched configuration profiles in iOS 4 and meant them for use in company and academic settings to permit community or system directors to put in sitewide, customized apps with out having to add them to, and have them verified via, the standard App Store procedures. Unsurprisingly, social engineering victims into putting in configuration profiles to allow the next set up of malware is now being utilized by cybercriminals. Applications enabled through configuration profiles have to be put in manually.
For each platforms, downloaded apps behave like totally working wallets – victims can’t see any distinction. This is feasible as a result of the attackers took the reputable pockets apps and repackaged them with extra malicious code.
Repackaging of those reputable pockets apps wanted to be completed manually, with out using any automated instruments. Because of that, it required the attackers to carry out an in-depth evaluation of the pockets apps for each platforms first, after which discover the precise locations within the code the place the seed phrase is both generated or imported by the person. In these locations, the attackers inserted malicious code that’s liable for acquiring the seed phrase and its extraction to the attackers’ server.
For those that should not conscious of the seed or restoration phrase, when a cryptocurrency pockets is created, this phrase is generated as an inventory of phrases that enable the pockets’s proprietor to entry the pockets’s funds.
If the attackers have a seed phrase, they will manipulate the content material of the pockets as if it had been their very own.
Some of the malicious apps ship secret sufferer seed phrases to the attackers’ server utilizing the unsecured HTTP protocol, with none extra encryption in place. Because of that, different dangerous actors on the identical community might snoop on the community communication and steal victims’ seed or restoration phrases to entry their funds. This assault state of affairs is called an adversary-in-the-middle assault.
We have seen varied varieties of malicious code applied within the trojanized pockets purposes we’ve analyzed.
Malicious code was patched right into a binary file (courses.dex) of a malicious Android pockets. A brand new class was inserted, together with the calls to its strategies that had been present in particular locations of the pockets code the place it processes the seed phrase. This class was liable for sending the seed phrase to the attackers’ server. Server names had been at all times hardcoded, so the malicious app couldn’t replace them within the occasion that the servers had been taken down.
In an iOS app, the menace actor injected a malicious dynamic library (dylib) right into a reputable IPA file. This could be completed both manually or by binding it robotically utilizing varied patching instruments. Such a library is then a part of the app and executed throughout runtime. In the display screen beneath you’ll be able to see the elements of dynamic libraries present in each reputable and patched IPA recordsdata.
The picture above reveals that the dynamic library libDevBitpieProDylib.dylib incorporates malicious code liable for extracting the sufferer’s seed phrase.
We discovered the code from the dynamic library that extracts the seed phrase, as seen beneath.
In the picture beneath we evaluate the unique and the malicious model of a script discovered within the index.android.bundle file. Based on that, we are able to see the attackers modified the script in a number of particular locations by inserting their very own routines liable for stealing seed phrases. Such a patched script was present in each the Android and iOS variations of those apps.
The movies beneath reveal the compromise and secret seed phrase exfiltration from the sufferer’s gadget.
Figure 22. The compromise and secret seed phrase exfiltration from the sufferer’s gadget (Android)
Figure 23. The compromise and secret seed phrase exfiltration from the sufferer’s gadget (iOS)
Leaked supply code
ESET Research found that the supply code of the front-end and back-end, along with recompiled and patched cell apps included in these malicious pockets schemes, was publicly shared on a minimum of 5 Chinese web sites and in a number of Telegram teams in November 2021.
Right now, it seems that the menace actors behind this scheme are most certainly positioned in China. However, because the code is already shared publicly for free, it would entice different attackers – even outdoors of China – and goal a wider spectrum of cryptocurrency wallets utilizing an improved scheme.
Fake pockets apps found in Google Play retailer
Based on our request as a Google App Defense Alliance accomplice, in January 2022, Google eliminated 13 malicious purposes discovered on the Google Play retailer that impersonated the reputable Jaxx Liberty Wallet app; they had been put in greater than 1,100 occasions. One of the apps on this listing used a pretend web site mimicking Jaxx Liberty as a distribution vector. As the menace actor behind this malicious app managed to position it within the official Google Play retailer, the pretend web site redirected the person to obtain its cell model from the Google Play retailer and didn’t have to make use of a third-party app retailer as an middleman. This needs to be a profitable trick to persuade a possible sufferer that the app is reputable because it’s obtainable for obtain from the official app retailer.
Some of those apps make the most of homoglyphs, a method extra generally utilized in phishing assaults: they substitute characters of their names with look-alikes from the Unicode character set. This is most certainly to bypass app identify filters for fashionable apps created by reliable builders.
In comparability to the trojanized pockets apps described above, these apps had been with none reputable performance – their objective was merely to tease out the person’s restoration seed phrase and ship it both to the attackers’ server or to a secret Telegram chat group.
Prevention and uninstallation
ESET researchers continuously advise customers to obtain and set up apps solely from official sources, such because the Google Play retailer or Apple’s App Store. A dependable cell safety resolution ought to be capable of detect this menace on an Android gadget – for example, ESET merchandise detect this menace as Android/FakeWallet. In the Google Play retailer case, ESET takes its dedication to defending the cell ecosystem additional, partnering with different safety distributors and Google within the App Defense Alliance to help within the vetting of apps submitted for itemizing on Google Play.
On an iOS gadget, the character of the working system – when not jailbroken – permits an app to speak with different apps solely in very restricted methods. That is why for iOS, no safety options are supplied, as they might solely be capable of scan themselves. Therefore, downloading apps solely from the official App Store, being particularly cautious about accepting configuration profiles, and avoiding a jailbreak on this platform are probably the most advisable prevention suggestions.
If any of those apps are already put in in your gadget, the elimination course of differs primarily based on the cell platform. On Android, whatever the supply from which you downloaded the malicious app – official or unofficial – if there are doubts concerning the legitimacy of the supply, we advise uninstalling the app. None of the malware described on this blogpost leaves any backdoors or leftovers on the gadget after elimination.
On iOS, after uninstalling the malicious app, it is usually essential to take away its configuration profile by going to Settings → General → VPN & Device Management. Under the CONFIGURATION PROFILE it is possible for you to to discover a identify of the profile that must be eliminated.
If you both already created a brand new, or restored an previous, pockets utilizing such a malicious software, we advise instantly making a brand-new pockets with a trusted gadget and software and transferring all funds to it. This is critical because the attackers have already obtained the seed phrase and would possibly switch obtainable funds at any time. Considering that the attackers know the historical past of all of the sufferer’s transactions, the attackers won’t steal the funds instantly and would possibly moderately look forward to a greater alternative after extra cash are deposited.
ESET Research was capable of uncover and backtrack a classy malicious cryptocurrency scheme that targets cell gadgets utilizing Android or iOS working techniques. It has been distributed via pretend web sites, mimicking reputable pockets providers resembling Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. These pretend web sites are promoted with advertisements positioned on reputable websites utilizing deceptive articles, for instance in “Investment and financial management” sections.
In the longer term, we would count on an growth of this menace, since menace actors are recruiting intermediaries via Telegram teams and Facebook to additional distribute this malicious scheme, providing them a proportion of the cryptocurrency stolen from the wallets.
Moreover, evidently the supply code of this menace has been leaked and shared on a number of Chinese web sites, which could entice varied menace actors and unfold this menace even additional.
The objective of those pretend websites is to make customers obtain and set up malicious cell pockets purposes. These pockets apps are trojanized copies of reputable ones – that’s the reason they work as actual wallets on a sufferer’s gadget – nonetheless, they’re patched with a number of traces of malicious code that’s liable for stealing the sufferer’s secret seed phrase.
This subtle assault required the attackers to carry out an in-depth evaluation of every pockets software first, to determine the precise locations within the unique code to inject their malicious code, after which to advertise them and make them obtainable for obtain via pretend web sites.
We want to attraction to the cryptocurrency neighborhood, primarily newcomers, to remain vigilant and use solely official cell wallets and alternate apps, downloaded from official app shops which can be explicitly linked to the official web sites of such providers, and to remind iOS gadget customers of the hazards of accepting configuration profiles from something however probably the most reliable of sources.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at email@example.com.
ESET Research now additionally affords personal APT intelligence reviews and data feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.
|First seen||MD5||SHA-1||SHA-256||Package identify||Description||C&C||ESET detection identify|
|2021‑12‑19||1AA2F6795BF8723958313BAD7A2657B4||B719403DC3743D91380682EAC290C3C67A738192||5DA813FEC32E937E5F2AE82C57842FDED71F0671E1D8E6FD50FF8521D183F809||com.pockets.crypto.trustapp||Trojanized model of Trust Wallet Android software.||two.shayu[.]la||Android/FakeWallet.B|
|2022‑01‑19||E7CEBF27E8D4F546DA9491DA78C5D4B4||BC47D84B8E47D6EAF501F2F0642A7C4E26EC88B6||A4D875C13B46BC744D18BB6668F17EA67BFF85B26CF0D46100736BD62DB649AE||com.pockets.crypto.trustapp||Trojanized model of Trust Wallet Android software.||725378[.]com||Android/FakeWallet.D|
|2022‑02‑05||22689A6DA0FC86AD75BF62F3B172478D||CDB96862A68A1C01EA5364CB03760AE59C2B0A74||127E4DA1614E42B541338C0FAACD7C656655C9C0228F7D00EC9E13507FA0F9E9||com.bitpie||Trojanized model of Bitpie Android software.||bp.tkdt[.]cc||Android/FakeWallet.AB|
|2022‑02‑07||4729D57DF40585428ADCE26A478C1C3A||E9B7D8F93B4C04B5DC3D1216482035C242F98F24||0B60C44749B43147D40547B438B8CCB50717B319EF20D938AB59F0079D1BA57C||cce4492155695349d80ad508d33e33ae93772fba39e50c520f3f6deaf43c8e2780b40762eosIM0.ipa||Trojanized model of Bitpie iOS software.||jdzpfw[.]com||iOS/FakeWallet.A|
|2022‑02‑04||6D0C9DDD18538494EB9CA7B4BC78BDB0||3772A8ACD9EB01D2DC8124C9CDA4E8F4219AE9F3||9017EF4A85AC85373D0F718F05F4A5C441F17AE1FD9A7BFD18521E560E6AB39E||com.bixin.pockets.mainnet||Trojanized model of OneKey Android software.||okay.tkdt[.]cc||Android/FakeWallet.AA|
|2022-01-20||140DB26EB6631B240B3443FDB49D4878||869155A5CB6D773243B16CCAF30CEC5C697AC939||8ADCD1C8313C421D36EB6C4DF948D9C40578A145764E545F5AC536DC95ED2069||io.metamask||Trojanized model of MetaMask Android software.||725378[.]com||Android/FakeWallet.F|
|2022-01-20||A2AFDED28CB68CADF30386FC15A26AFA||5B0363F1CB0DB00B7449ABE0B1E5E455A6A69070||FD88D8E01DB36E5BE354456F1FB9560CE9A3328EEFBF77D5560F3BDDA1856C80||io.metamask||Trojanized model of MetaMask Android software.||xdhbj[.]com||Android/FakeWallet.E|
|2022-01-21||383DB92495705C0B25E56785CF17AAC9||CF742505000CCE89AB6AFCAEC7AB407F7A9DFB98||0ED22309BF79221B5C099285C4CDE8BAB43BA088890A14707CC68BC7A8BA15AE||io.metamask||Trojanized model of MetaMask Android software.||api.metamasks[.]me||Android/FakeWallet.H|
|2022-01-21||B366FCF5CA01A9C51806A7E688F1FFBE||399C85CCC752B1D8285B9F949AC1F4483921DE64||49937230ABB29118BDA0F24EBEFD9F887857814C9B4DC064AED52A9A3C278D53||io.metamask||Trojanized model of MetaMask Android software.||replace.xzxqsf[.]com||Android/FakeWallet.I|
|2022-01-19||B6E8F936D72755A812F7412E76F6968E||E525248D78D931AF92E2F5376F1979A029FA4157||0056027FBC4643D24282B35F53E03AC1E4C090AA22F2F88B1D8CBD590C51F399||io.metamask||Trojanized model of MetaMask Android software.||metamask.tptokenm[.]dwell||Android/FakeWallet.G|
|2022‑02‑01||54053B4CCACAA36C570A4ED500A8C4A2||99144787792303F747F7EF14B80860878A204497||553209AEEA2515F4A7D76CE0111DD240AEAD97FAC149ACC3D161C36B89B729D8||io.metamask||Trojanized model of MetaMask Android software.||imtokenss.token-app[.]cc||Android/FakeWallet.P|
|2022‑02‑04||15BDC469C943CF563F857DE4DCA7FCC5||664F1E208DA29E50DF795144CB3F80C9582B33E3||CD896A7816768A770305F3C2C07BCC81ABDF1F18B9F3C2B48B4494704A3B61B7||io.metamask||Trojanized model of MetaMask Android software.||jdzpfw[.]com||Android/FakeWallet.W|
|2021-12-11||A202D183B45D3AB10221BCB40A3D3EC2||15D11E0AB0A416DB96C0713764D092CB245B8D17||E95BF884F1AE27C030C56E95969C00200B22531DC2C794975D668F1DD0AEEDDD||io.metamask||Trojanized model of MetaMask Android software.||mm.tkdt[.]cc||Android/FakeWallet.X|
|2022‑02‑04||CC6E37F6C5AF1FF5193828DDC8F43DF0||452E2E3A77E1D8263D853C69440187E052EE3F0A||A58B9C7763727C81D40F2B42CCCA0D34750CDF84FC20985699A6E28A4A85094F||io.metamask||Trojanized model of MetaMask Android software.||admin.metamaskio[.]vip||Android/FakeWallet.Z|
|2022‑02‑07||68A68EFED8B70952A83AA5922EA334BD||4450F4ED0A5CF9D4F1CA6C98FC519891EF9D764F||3F82BA5AB3C3E9B9DDEAA7C33C670CE806A5E72D409C813FF7328434E2054E6D||6vugkf43gx.ipa||Trojanized model of MetaMask iOS software.||admin.metamaskio[.]vip||iOS/FakeWallet.A|
|2022‑02‑07||1EE43A8046FA9D68C78619E25CD37249||2B741593B58E64896004461733B7E86D98EB7B7D||EB5EB7E345E4C48F86FB18ABC0883D61E956A24D5A9A4B488C2FDD91F789033A||00835616-3548-4fa4-8aee-828585de7680.ipa||Trojanized model of MetaMask iOS software.||725378[.]com||iOS/FakeWallet.A|
|2022-02-01||9BFEE43D55DFD5A30861035DEED9F4B0||4165E9CDFC10FA118371CB77FE4AD4142C181B23||E1BF431DC0EBB670B743012638669A7CE3D42CE34F8F676B1512601CD8A6DBF0||im.token.app||Trojanized model of imToken Android software.||admin.token2[.]membership||Android/FakeWallet.L|
|2022-02-01||D265C7894EDB20034E6E17B4FFE3EC5D||78644E1256D331957AA3BF0AC5A3D4D4F655C8EA||15C1532960AE3CAA8408C160755944BD3ABC12E8903D4D5130A364EF2274D758||im.token.app||Trojanized model of imToken Android software.||replace.imdt[.]cc||Android/FakeWallet.M|
|2022-02-01||14AA1747C28FFC5CDB2D3D1F36587DF9||0DFD29CD560E0ACB6FCAF2407C504FEB95E3FC19||CB9757B7D76B9837CFC153A1BA9D1AC821D2DBDB09ED877082B0D041C22D66E9||im.token.app||Trojanized model of imToken Android software.||imbbq[.]co||Android/FakeWallet.O|
|2022-01-05||3E008726C416963D0C5C78A1E71EBA65||16A0C8C24EF64F657696E176700A83B76FDA39C7||3069A2EED380D98AAE822A9B792927B498234C37E6813193B5881922992BAFEE||im.token.app||Trojanized model of imToken Android software.||ds-super-admin.imtokens[.]cash||Android/FakeWallet.Q|
|2022-02-01||CA3231E905C5308DE84D953377BB22C2||9D79392B1027C6E2AAD3B86C2E60141B8DF0879E||1D7D0D75319BFFF0C2E2E268F0054CAABD9F79783608292C2A6C61FABE079960||im.token.app||Trojanized model of imToken Android software.||appapi.imtoken[.]porn||Android/FakeWallet.S|
|2021-12-13||C3B644531FC9640F45B22C76157350B6||AE22B21038787003E9B70BC162CCA12D5767EEBF||8E63CE669A7865B867C2D33CBCB69677E3CE51C3FBAB131171C8017E41F4EC5A||im.token.app||Trojanized model of imToken Android software.||bh.imtoken[.]sx||Android/FakeWallet.AI|
|2022‑02‑09||A62B00BF3F37EABB32D38AB4F999AB42||CA6DAF6645B2832AA5B0CC0FEAB41A848F7803D3||A6E6A4C80906D60CBEA4643AC97235B308F5EF35C5AB54B38BF63280F6A127D4||im.token.app||Trojanized model of imToken Android software.||ht.imtoken.cn[.]com||Android/FakeWallet.AJ|
|2022-01-18||90B4C4CE9A0019ACB0EEDBA6392E8319||4A4C98D6E758536A20442A2FA9D81220FB73B56B||731F1952142CFFE3DBDD6CCD5221AEC6EC91679308F0A9D46B812B62EC861AEF||org.toshi||Trojanized model of Coinbase Wallet Android software.||180.215.126[.]33:51148||Android/FakeWallet.C|
|2022-01-31||E27A4039D0A0FFD0C34E82B090EFE2BD||4C8DE212E49386E701DB212564389241CE4A7E5A||4736ECA0030C86D1AFA2C01558ED31151C3A72BA24D9ED278341AB3DF71467E5||org.toshi||Trojanized model of Coinbase Wallet Android software.||token-lon[.]me||Android/Spy.Agent.BYH|
|2022‑02‑07||6EFEF97F0633B3179C7DFC2D81FE67FB||0E419606D6174C36E53601DA5A10A7DBB3954A70||A092C7DD0E9DEF1C87FB8819CB91B4ECE26B140E60E5AD637768113733541C2B||cce4492155695349d80ad508d33e33ae93772fba_3858264b86e27f12.ipa||Trojanized model of Token Pocket iOS software.||jdzpfw[.]com||iOS/FakeWallet.A|
|2022-01-19||149B8AADD097171CC85F45F4D913F194||51F038BC7CBB0D74459650B947927D916F598389||A427759DE6FE25E1B8894994A226C4517BB5C97CF893EC4B50CBD7A340F34152||com.cjaxx.libertywallet.alternate||Fake Jaxx Liberty pockets.||ariodjs[.]xyz||Android/FakeApp.OC|
|2022-01-12||3ED898EA1F47F67A80A7DD5CF0052417||022D9FBC989CA022FA48DF7A29F3778AFD009FFD||BD626C5BD36E9206C48D0118B76D7F6F002FFCF2CF5F1B672D6D626EE09836BD||com.jaxx_liberty.walletapp||Fake Jaxx Liberty pockets corrupted pattern.||Not included||Android/FakeApp.NT|
|2022-01-19||D7B1263F7DA2FDA0FB81FBDAC511454C||F938CEC631C8747AAE942546BB944905A35B5D7B||206123F2D992CD236E6DB1413BCFE4CE9D74721D509A0512CF70D62D466B690D||com.jaxx_libertyfy_12.jaxxwalletpro||Fake Jaxx Liberty pockets.||spspring.herokuapp[.]com||Android/FakeApp.NT|
|2022-01-12||C3CBA07BEAF3F5326668A8E26D617E86||85ED0E51344E3435B3434B935D4FFCADAF06C631||1FE95756455FDDE54794C1DDDFB39968F1C9360E44BF6B8CE9CEF9A6BEDA4EE1||com.jaxxwebliberty.webviewapp||Fake Jaxx Liberty pockets.||jaxx[.]tf||Android/FakeApp.NV|
|2022-01-19||8F2B2272C06C4FE5D7962C7812E1AEA7||9D279FCA4747559435CCA2A680DB29E8BAC1C1F5||039544846724670DAE731389EB6E799E17B085DDD6D4670536803C5C3CEB7496||com.MBM.jaxxw||Fake Jaxx Liberty pockets.||master-consultas[.]com/jaxliberty/||Android/FakeApp.OB|
|2022-01-19||99B4FF9C036EE771B62940AB8A987747||CE0380103B9890FD6B6F19C34D156B68E875F00C||8C8F65A70677C675EE2AF2C70DD439410DE3C3D0736FFC20D1AB7F1DA3F47956||com.VRA.jaxx||Fake Jaxx Liberty pockets.||master-consultas[.]com/jaxliberty/||Android/FakeApp.NZ|
|2022-01-12||9D9D85400771684BE53012B828832F31||45DA3F337ABA9454323DF9B1F765E7F8439BFFD8||58106983A575DF14291AC501221E5F7CCD6CE2239CBFEC089A7596EEBE3DFA9C||crp.jaxwalet.com||Fake Jaxx Liberty pockets.||Telegram chat_id: 959983483||Android/FakeApp.NS|
|2022-01-19||271550A137B28DB5AF457E3E48F2AAB0||5605426A09E0DD285C86DB0DE335E7942A765C8E||F87CC7B548A3AD8D694E963013D2D0370FE6D37FC2024FBE624844489B4C428D||io.jaxxc.ertyx||Fake Jaxx Liberty pockets.||czbsugjk[.]xyz||Android/FakeApp.OE|
|2022-01-19||28DB921C6CFD4EAD93DF810B7F514AEE||3B6E2966D3EF676B453C3A5279FFF927FA385185||19F0F9BF72C071959395633A2C0C6EB54E31B6C4521311C333FA292D9E0B0F1D||io.jaxxc.ertyxcc||Fake Jaxx Liberty pockets.||czbsugjk[.]xyz||Android/FakeApp.OF|
|2022-01-19||F06603B2B589D7F82D107AB8B566D889||568546D9B5D4EA2FBDE53C95A76B26E8655D5BC5||CAAD41986C5D74F8F923D258D82796632D069C5569503BFB16E7B036945F5290||jax.wall.alternate.bnc||Fake Jaxx Liberty pockets.||jaxxwalletinc[.]dwell||Android/FakeApp.OA|
|2022-01-19||F4BEACADF06B09FD4367F17D3A0D8E22||97E13DBD320EE09B5934A3B4D5A7FF23BA11E81C||A99AA5412EA12CB7C2C1E21C1896F38108D7F6E24C9FDD7D04498592CF804369||jaxx.libertycryptowallet.ltd||Fake Jaxx Liberty pockets.||jabirs-xso-xxx-wallet[.]com||Android/FakeApp.OD|
|2022-01-12||295E7E67B025269898E462A92B597111||75F447226C8322AE55D93E4BCF23723C2EAB30E3||2816B84774235DFE2FBFCC2AF5B2A9BE3AB3A218FA1C58A8A21E7973E640EB85||web.jxxwalltpro.app||Fake Jaxx Liberty pockets.||jaxx.podzone[.]org||Android/FakeApp.NW|
|2022-01-12||6D9CF48DD899C90BA7D495DDF7A04C88||3C1EF2ED77DB8EFA46C50D781EF2283567AFC96F||DB9E9CF514E9F4F6B50937F49863379E23FE55B430FFB0DB068AE8ED2CA0EEE8||pockets.cryptojx.retailer||Fake Jaxx Liberty pockets.||saaditrezxie[.]retailer||Android/FakeApp.NU|
|185.244.150[.]159||Dynadot||2022-01-20 19:36:29||token2[.]membership Distribution web site|
|3.33.236[.]231||GoDaddy||2022-01-27 16:55:51||imtoken[.]porn Distribution web site|
|172.67.210[.]44||广州云 讯 信息科技有限公司||2022-01-24 12:53:46||imtken[.]cn Distribution web site|
|172.67.207[.]186||GoDaddy||2021-12-01 17:57:00||im-token[.]one Distribution web site|
|47.243.75[.]229||GoDaddy||2021-12-09 11:22:03||imtokenep[.]com Distribution web site|
|154.82.111[.]186||GoDaddy||2022-01-24 11:43:46||imttoken[.]org Distribution web site|
|104.21.89[.]154||GoDaddy||2022-01-24 11:26:23||imtokens[.]cash Distribution web site|
|104.21.23[.]48||N/A||2022-01-06 12:24:28||mtokens[.]im Distribution web site|
|162.0.209[.]104||Namecheap||2020-10-02 11:14:06||tokenweb[.]on-line Distribution web site|
|156.226.173[.]11||GoDaddy||2022-01-27 17:04:42||metamask-wallet[.]xyz Distribution web site|
|103.122.95[.]35||GoDaddy||2022-01-24 11:04:56||metemas[.]me Distribution web site|
|104.21.34[.]145||GoDaddy||2021-11-12 20:41:32||metamasks[.]me Distribution web site|
|8.212.40[.]178||TopNets Technology||2021-05-31 08:29:39||metamask[.]hk Distribution web site|
|45.116.163[.]65||Xin Net Technology||2021-10-18 16:24:49||metamaskey[.]com Distribution web site|
|172.67.180[.]104||NameSilo||2021-10-01 13:26:26||2022mask[.]com Distribution web site|
|69.160.170[.]165||Hefei Juming Network Technology||2022-01-13 12:25:38||metamadk[.]com Distribution web site|
|104.21.36[.]169||NameSilo||2021-11-28 03:54:13||metemasks[.]dwell Distribution web site|
|45.116.163[.]65||阿里云 计 算有限公司（万网）||2021-12-10 15:39:07||bitpiecn.com[.]cn Distribution web site|
|45.116.163[.]65||Xin Net Technology||2021-11-06 13:25:43||tokenp0cket[.]com Distribution web site|
|104.21.24[.]64||NameSilo||2021-11-14 07:29:44||im-tokens[.]data Distribution web site|
|104.21.70[.]114||NameSilo||2021-12-30 13:39:22||tokenpockets[.]buzz Distribution web site|
|172.67.201[.]47||NameSilo||2022-02-06 03:47:17||bitepie[.]membership Distribution web site|
|104.21.30[.]224||NameSilo||2021-11-22 08:20:59||onekeys[.]dev Distribution web site|
|206.119.82[.]147||Gname||2021-12-23 21:41:40||metamaskio[.]vip Distribution web site|
|45.116.163[.]65||Xin Net Technology||2021-12-10 15:33:41||zh-imtoken[.]com Distribution web site|
|47.243.117[.]119||广州云 讯 信息科技有限公司||2021-10-18 11:36:07||bitoken.com[.]cn Distribution web site|
|104.21.20[.]159||NameSilo||2021-11-19 16:39:52||lmtokenn[.]cc Distribution web site|
|104.21.61[.]17||NameSilo||2021-12-30 12:33:04||lntokems[.]membership Distribution web site|
|104.21.26[.]245||NameSilo||2021-11-26 18:39:27||matemasks[.]date Distribution web site|
|172.67.159[.]121||NameSilo||2022-02-06 03:48:54||bitpio[.]com Distribution web site|
|172.67.171[.]168||NameSilo||2022-02-06 03:50:25||onekeys[.]mobi Distribution web site|
|172.67.133[.]7||NameSilo||2021-12-28 06:57:00||tokenpockets[.]org Distribution web site|
|216.83.46[.]49||Dynadot||2022-01-17 17:22:40||app-coinbase[.]co Distribution web site|
|172.67.182[.]118||Gandi SAS||2022-02-13 00:46:46||imtoken[.]sx Distribution web site|
|104.21.34[.]81||N/A||2022-01-20 18:24:30||imtoken.web[.]im Distribution web site|
|104.21.87[.]75||Nets To||2022-02-09 09:09:38||imtoken.cn[.]com Distribution web site|
|104.21.11[.]70||NETMASTER SARL||2022-02-09 09:08:05||imtoken[.]tg Distribution web site|
|188.8.131.52||NameSilo||2022-02-06 03:52:06||replace.imdt[.]cc C&C|
|97.74.83[.]237||GoDaddy||2022-01-27 18:44:33||imbbq[.]co C&C|
|172.67.189[.]148||GoDaddy||2022-01-27 16:07:53||ds-super-admin.imtokens[.]cash C&C|
|156.226.173[.]11||GoDaddy||2022-01-19 14:59:48||imtokenss.token-app[.]cc C&C|
|45.154.213[.]11||Alibaba Cloud Computing||2021-12-31 21:48:56||xdhbj[.]com C&C|
|47.242.200[.]140||Alibaba Cloud Computing||2021-05-28 11:42:54||replace.xzxqsf[.]com C&C|
|45.155.43[.]118||NameSilo||2021-09-24 10:03:29||metamask.tptokenm[.]dwell C&C|
|172.67.223[.]58||GoDaddy||2022-01-19 22:51:08||two.shayu[.]la C&C|
|45.154.213[.]18||Xin Net Technology||2018-08-03 23:00:00||jdzpfw[.]com C&C|
|104.21.86[.]197||NameSilo||2022-02-06 03:48:48||bp.tkdt[.]cc C&C|
|104.21.86[.]197||NameSilo||2022-02-06 04:04:29||okay.tkdt[.]cc C&C|
|172.67.136[.]90||NameSilo||2022-02-03 02:00:42||mm.tkdt[.]cc C&C|
|8.210.235[.]71||Dynadot||2021-07-16 13:25:06||token-lon[.]me C&C|
|172.67.182[.]118||Gandi SAS||2022-02-13 00:51:18||bh.imtoken[.]sx C&C|
|172.67.142[.]90||Nets To||2022-02-09 09:18:54||ht.imtoken.cn[.]com C&C|
|184.108.40.206||Name.com||2022-02-13 00:59:59||api.tipi21341[.]com C&C|
|89.223.124[.]75||Namecheap||2022-01-18 11:34:56||ariodjs[.]xyz C&C|
|199.36.158[.]100||MarkMonitor||2022-02-03 02:22:17||walletappforbit.internet[.]app C&C|
|195.161.62[.]125||REGRU-SU||2019-08-04 23:00:00||jaxx[.]su C&C|
|111.90.156[.]9||REGRU-SU||2021-09-29 03:12:49||jaxx[.]tf C&C|
|111.90.145[.]75||Hosting Concepts B.V. d/b/a||2018-09-11 23:00:00||master-consultas[.]com C&C|
|104.219.248[.]112||Namecheap||2022-01-19 23:03:52||jaxxwalletinc[.]dwell C&C|
|50.87.228[.]40||FastDomain||2021-09-09 21:15:10||jabirs-xso-xxx-wallet[.]com C&C|
|88.80.187[.]8||Tucows Domains||2022-01-06 03:52:05||jaxx.podzone[.]org C&C|
|192.64.118[.]16||Namecheap||2022-01-07 16:09:06||saaditrezxie[.]retailer C&C|
MITRE ATT&CK methods
Note: This desk was constructed utilizing model 10 of the ATT&CK framework.
|Initial Access||T1444||Masquerade as Legitimate Application||Fake web site gives trojanized Android and/or iOS apps for obtain.|
|T1478||Install Insecure or Malicious Configuration||Fake web site gives a obtain of a malicious configuration profile for iOS.|
|T1475||Deliver Malicious App through Authorized App Store||Fake cryptocurrency pockets apps had been distributed through Google Play.|
|Credential Access||T1417||Input Capture||Trojanized pockets apps intercept seed phrases throughout preliminary pockets creation. Fake Jaxx apps request seed phrase underneath the guise of connecting to the sufferer’s Jaxx account.|
|Exfiltration||T1437||Standard Application Layer Protocol||Malicious code exfiltrates restoration seed phrase over customary HTTP or HTTPS protocols.|