Google Play Caught Hosting An App That Steals Users' Cryptocurrency

The Google Play Store has been caught hosting an app designed to steal cryptocurrency from unwitting end users, according to researchers with Eset security company. "The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers," reports Ars Technica. "As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers." From the report: So-called clipper malware has targeted Windows users since at least 2017. The clipper malware available in Google Play impersonated a service called MetaMask, which is designed to allow browsers to run apps that work with the digital coin Ethereum. The primary purpose of Android/Clipper.C, as Eset has dubbed the malware, was to steal credentials needed to gain control of Ethereum funds. It also replaced both bitcoin and Ethereum wallet addresses copied to the clipboard with ones belonging to the attackers. Eset spotted the app shortly after its introduction to Google Play on February 1. Google has since removed it. Stefanko said it's the first time clipper malware has been hosted in the Android app bazaar. Eset malware researcher Lukas Stefanko wrote: "This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app -- only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims' cryptocurrency funds."

Caught

[Luthair]

implies they were somehow supposed to know.

Re:Caught

[drinkypoo]

They were. The Play Store is supposed to be curated.

Re:Caught

[alvinrod]

This is an age old problem. It doesn't matter how good your defenses are because they need to focus on the hundreds or thousands of adversarial actors and stop all of them. An attacker need not divide its efforts or attention and will eventually be able to sneak through. You can't rely on anyone else to provide you with perfect security. It's simply unobtainable and believing that you can have it is only leaving yourself vulnerable. Personal vigilance will always be necessary in order to minimize your own exposure.

Re:Caught

[drinkypoo]

Play Protect is for malware which is software that attempts to compromise the system. How the fuck is what amounts to an anti-virus scanner supposed to detect an application that doesn't work as advertised? Was Google (or Apple) supposed to do a code audit?

According to Google's page on Play Protect, "All Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app and developer in Google Play, and suspend those who violate our policies. Then, Play Protect scans billions of apps daily to make sure everything remains spot on. That way, no matter where you download an app from, you know itâ(TM)s been checked by Google Play Protect." And also:

How can I protect my device from harmful apps?

First, make sure youâ(TM)re downloading all apps from trusted sources like the Google Play Store.

Google claims they do precisely what you say they cannot do. They need to make up their mind whether they do "rigorous security testing" or not, and whether google play protect actually protects users from malware or not. From what I can tell, they do not, and it does not, but they certainly claim that it does, and that it does.