ESET Analysis uncovers a classy scheme that distributes trojanized Android and iOS apps posing as common cryptocurrency wallets
On the time of penning this blogpost, the value of bitcoin (US$38,114.80) has decreased about 44 % from its all-time excessive about 4 months in the past. For cryptocurrency buyers, this may be a time both to panic and withdraw their funds, or for newcomers to leap at this opportunity and purchase cryptocurrency for a cheaper price. When you belong to considered one of these teams, you must decide rigorously which cell app to make use of for managing your funds.
Beginning in Might 2021, our analysis uncovered dozens of trojanized cryptocurrency pockets apps. We discovered trojanized Android and iOS apps distributed by means of web sites mimicking reputable providers . These malicious apps had been in a position to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Belief Pockets, Bitpie, TokenPocket, or OneKey.
It is a refined assault vector for the reason that malware’s creator carried out an in-depth evaluation of the reputable functions misused on this scheme, enabling the insertion of their very own malicious code into locations the place it will be laborious to detect whereas additionally ensuring that such crafted apps had the identical performance because the originals. At this level, we imagine that that is the work of 1 particular person attacker or, extra doubtless, one felony group.
The principle aim of those malicious apps is to steal customers’ funds and till now we’ve got seen this scheme primarily concentrating on Chinese language customers. As cryptocurrencies are gaining reputation, we anticipate these strategies to unfold into different markets. That is additional supported by the general public sharing, in November 2021, of the supply code of the front-end and back-end distribution web site, together with the recompiled APK and IPA recordsdata. We discovered this code on at the least 5 web sites, the place it was shared totally free, and thus anticipate to see extra copycat attackers. From the posts we discovered, it’s troublesome to find out whether or not it was shared deliberately or if it leaked.
These malicious apps additionally symbolize one other menace to victims, as a few of them ship secret sufferer seed phrases to the attackers’ server utilizing an unsecured HTTP connection. Because of this victims’ funds could possibly be stolen not solely by the operator of this scheme, but additionally by a distinct attacker eavesdropping on the identical community. Moreover this cryptocurrency pockets scheme, we additionally found 13 malicious apps impersonating the Jaxx Liberty pockets. These apps had been accessible on the Google Play retailer, which is proactively protected by the App Protection Alliance, of which ESET is among the scanning companions, previous to apps being listed.
ESET Analysis recognized over 40 copycat web sites of common cryptocurrency wallets. These web sites goal solely cell customers and provide them the obtain of malicious pockets apps.
We had been in a position to hint the distribution vector of those trojanized cryptocurrency wallets again to Might 2021 primarily based on the area registration that was supplied for these malicious apps within the wild, in addition to the creation of a number of Telegram teams that began to seek for affiliate companions.
On Telegram, a free and common multiplatform messaging app with enhanced privateness and encryption options, we discovered dozens of such teams selling malicious copies of cryptocurrency cell wallets. We assume these teams had been created by the menace actor behind this scheme searching for additional distribution companions, suggesting choices similar to telemarketing, social media, commercial, SMS, third-party channels, pretend web sites and so on. All these teams had been speaking in Chinese language. Primarily based on the data acquired from these teams, an individual distributing this malware is obtainable a 50 % fee on the stolen contents of the pockets.
Admins of those Telegram teams posted step-by-step video demonstrations of how these pretend wallets work and learn how to entry them as soon as victims enter their seed phrases, that are a set of phrases that can be utilized to entry one’s cryptocurrency pockets. As an example how profitable this malicious scheme is, admins additionally included screenshots from admin panels and photographs of a number of cryptocurrency wallets that they declare belong to them. Nevertheless, it isn’t potential to confirm whether or not the funds proven in these video demonstrations originate from such unlawful actions or are simply bait from recruiters.
Shortly after, beginning in October 2021, we discovered that these Telegram teams had been shared and promoted in at the least 56 Fb teams, with the identical aim – to seek for extra distribution companions.
In November 2021, we noticed the distribution of malicious wallets, utilizing two reputable web sites, concentrating on customers in China (yanggan[.]web, 80rd[.]com). On these web sites, within the class “Funding and monetary administration”, we found as much as six articles selling cell cryptocurrency wallets utilizing copycat web sites, main customers to obtain malicious cell functions claiming to be reputable and dependable. These posts abuse the names of reputable cryptocurrency wallets similar to imToken, Bitpie, MetaMask, TokenPocket, OneKey, and Belief Pockets.
All posts contained a view counter with publicly accessible statistics. On the time of our analysis, all of those posts collectively had over 1840 views; nonetheless, it doesn’t imply these articles had been visited that many occasions.
On December 10th, 2021, the menace actor posted an article on a reputable Chinese language web site within the Blockchain Information class, informing about Beijing’s newest cryptocurrency ban. This ban on cryptocurrency exchanges suspended new registrations of customers in mainland China. The creator of this put up additionally put collectively a listing of cryptocurrency wallets (not exchanges) to bypass the present ban. The record recommends utilizing 5 wallets – imToken, Bitpie, MetaMask, TokenPocket, and OneKey. The issue is that the prompt web sites usually are not the official websites for the wallets, however relatively web sites mimicking the reputable providers.
On prime of that, the primary web page of this web site additionally comprises an commercial for the aforementioned pretend wallets.
Moreover these distribution vectors, we found dozens of different counterfeit pockets web sites which might be concentrating on cell customers completely. Visiting one of many web sites may lead a possible sufferer to obtain a trojanized pockets app for Android or the iOS platform. The websites themselves weren’t phishing for restoration seeds or cryptocurrency alternate credentials they usually didn’t goal desktop customers or their browsers with the choice to obtain a malicious extension.
Determine 10 exhibits the timeline of those occasions.
The malicious app behaves in a different way relying on the working system it was put in on.
On Android, it seems to focus on new cryptocurrency customers who don’t but have a reputable pockets utility put in on their gadgets. Trojanized wallets have the identical bundle identify as reputable functions; nonetheless, they’re signed utilizing a distinct certificates. Because of this if the official pockets is already put in on an Android smartphone, the malicious app can’t overwrite it as a result of the important thing used to signal the counterfeit app is totally different from the reputable utility. That’s the usual safety mannequin of Android apps, the place non-genuine variations of an app can’t exchange the unique.
Nevertheless, on iOS, the sufferer can have each variations put in – the reputable one from the App Retailer and the malicious one from a web site – as a result of they don’t share the identical bundle ID.
For Android gadgets, websites supplied the choice to straight obtain the malicious app from their servers even when the consumer clicked on the button “Get it on Google Play”. As soon as downloaded, the app must be manually put in by the consumer.
Concerning iOS, these malicious apps usually are not accessible on the App Retailer; they have to be downloaded and put in utilizing configuration profiles, which add an arbitrary trusted code-signing certificates. Utilizing these profiles, it’s potential to obtain functions that aren’t verified by Apple and from sources outdoors the App Retailer. Apple launched configuration profiles in iOS 4 and meant them for use in company and academic settings to permit community or system directors to put in sitewide, customized apps with out having to add them to, and have them verified by means of, the standard App Retailer procedures. Unsurprisingly, social engineering victims into putting in configuration profiles to allow the next set up of malware is now being utilized by cybercriminals. Purposes enabled through configuration profiles have to be put in manually.
For each platforms, downloaded apps behave like absolutely working wallets – victims can’t see any distinction. That is potential as a result of the attackers took the reputable pockets apps and repackaged them with extra malicious code.
Repackaging of those reputable pockets apps wanted to be achieved manually, with out the usage of any automated instruments. Due to that, it required the attackers to carry out an in-depth evaluation of the pockets apps for each platforms first, after which discover the precise locations within the code the place the seed phrase is both generated or imported by the consumer. In these locations, the attackers inserted malicious code that’s answerable for acquiring the seed phrase and its extraction to the attackers’ server.
For individuals who usually are not conscious of the seed or restoration phrase, when a cryptocurrency pockets is created, this phrase is generated as a listing of phrases that enable the pockets’s proprietor to entry the pockets’s funds.
If the attackers have a seed phrase, they will manipulate the content material of the pockets as if it had been their very own.
A few of the malicious apps ship secret sufferer seed phrases to the attackers’ server utilizing the unsecured HTTP protocol, with none extra encryption in place. Due to that, different unhealthy actors on the identical community might listen in on the community communication and steal victims’ seed or restoration phrases to entry their funds. This assault situation is called an adversary-in-the-middle assault.
We’ve seen numerous varieties of malicious code applied within the trojanized pockets functions we’ve analyzed.
Malicious code was patched right into a binary file (lessons.dex) of a malicious Android pockets. A brand new class was inserted, together with the calls to its strategies that had been present in particular locations of the pockets code the place it processes the seed phrase. This class was answerable for sending the seed phrase to the attackers’ server. Server names had been all the time hardcoded, so the malicious app couldn’t replace them within the occasion that the servers had been taken down.
In an iOS app, the menace actor injected a malicious dynamic library (dylib) right into a reputable IPA file. This may be achieved both manually or by binding it robotically utilizing numerous patching instruments. Such a library is then a part of the app and executed throughout runtime. Within the display under you possibly can see the elements of dynamic libraries present in each reputable and patched IPA recordsdata.
The picture above exhibits that the dynamic library libDevBitpieProDylib.dylib comprises malicious code answerable for extracting the sufferer’s seed phrase.
We discovered the code from the dynamic library that extracts the seed phrase, as seen under.
Within the picture under we evaluate the unique and the malicious model of a script discovered within the index.android.bundle file. Primarily based on that, we are able to see the attackers modified the script in just a few particular locations by inserting their very own routines answerable for stealing seed phrases. Such a patched script was present in each the Android and iOS variations of those apps.
The movies under reveal the compromise and secret seed phrase exfiltration from the sufferer’s system.
Determine 22. The compromise and secret seed phrase exfiltration from the sufferer’s system (Android)
Determine 23. The compromise and secret seed phrase exfiltration from the sufferer’s system (iOS)
ESET Analysis found that the supply code of the front-end and back-end, along with recompiled and patched cell apps included in these malicious pockets schemes, was publicly shared on at the least 5 Chinese language web sites and in just a few Telegram teams in November 2021.
Proper now, it seems that the menace actors behind this scheme are probably situated in China. Nevertheless, for the reason that code is already shared publicly totally free, it’d appeal to different attackers – even outdoors of China – and goal a wider spectrum of cryptocurrency wallets utilizing an improved scheme.
Primarily based on our request as a Google App Defense Alliance partner, in January 2022, Google eliminated 13 malicious functions discovered on the Google Play retailer that impersonated the reputable Jaxx Liberty Wallet app; they had been put in greater than 1,100 occasions. One of many apps on this record used a pretend web site mimicking Jaxx Liberty as a distribution vector. Because the menace actor behind this malicious app managed to position it within the official Google Play retailer, the pretend web site redirected the consumer to obtain its cell model from the Google Play retailer and didn’t have to make use of a third-party app retailer as an middleman. This needs to be a profitable trick to persuade a possible sufferer that the app is reputable because it’s accessible for obtain from the official app retailer.
A few of these apps make the most of homoglyphs, a method extra generally utilized in phishing assaults: they exchange characters of their names with look-alikes from the Unicode character set. That is probably to bypass app identify filters for common apps created by reliable builders.
Compared to the trojanized pockets apps described above, these apps had been with none reputable performance – their aim was merely to tease out the consumer’s restoration seed phrase and ship it both to the attackers’ server or to a secret Telegram chat group.
ESET researchers regularly advise customers to obtain and set up apps solely from official sources, such because the Google Play retailer or Apple’s App Retailer. A dependable cell safety resolution ought to be capable of detect this menace on an Android system – as an example, ESET merchandise detect this menace as Android/FakeWallet. Within the Google Play retailer case, ESET takes its dedication to defending the cell ecosystem additional, partnering with different safety distributors and Google within the App Protection Alliance to help within the vetting of apps submitted for itemizing on Google Play.
On an iOS system, the character of the working system – when not jailbroken – permits an app to speak with different apps solely in very restricted methods. That’s the reason for iOS, no safety options are provided, as they’d solely be capable of scan themselves. Due to this fact, downloading apps solely from the official App Retailer, being particularly cautious about accepting configuration profiles, and avoiding a jailbreak on this platform are essentially the most advisable prevention suggestions.
If any of those apps are already put in in your system, the elimination course of differs primarily based on the cell platform. On Android, whatever the supply from which you downloaded the malicious app – official or unofficial – if there are doubts concerning the legitimacy of the supply, we advise uninstalling the app. Not one of the malware described on this blogpost leaves any backdoors or leftovers on the system after elimination.
On iOS, after uninstalling the malicious app, it’s also essential to take away its configuration profile by going to Settings → Common → VPN & System Administration. Below the CONFIGURATION PROFILE it is possible for you to to discover a identify of the profile that must be eliminated.
When you both already created a brand new, or restored an outdated, pockets utilizing such a malicious utility, we advise instantly making a brand-new pockets with a trusted system and utility and transferring all funds to it. That is vital because the attackers have already obtained the seed phrase and may switch accessible funds at any time. Contemplating that the attackers know the historical past of all of the sufferer’s transactions, the attackers may not steal the funds instantly and may relatively anticipate a greater alternative after extra cash are deposited.
ESET Analysis was in a position to uncover and backtrack a classy malicious cryptocurrency scheme that targets cell gadgets utilizing Android or iOS working programs. It has been distributed by means of pretend web sites, mimicking reputable pockets providers similar to Metamask, Coinbase, Belief Pockets, TokenPocket, Bitpie, imToken, and OneKey. These pretend web sites are promoted with adverts positioned on reputable websites utilizing deceptive articles, for instance in “Funding and monetary administration” sections.
Sooner or later, we would anticipate an growth of this menace, since menace actors are recruiting intermediaries by means of Telegram teams and Fb to additional distribute this malicious scheme, providing them a proportion of the cryptocurrency stolen from the wallets.
Furthermore, evidently the supply code of this menace has been leaked and shared on just a few Chinese language web sites, which could appeal to numerous menace actors and unfold this menace even additional.
The aim of those pretend websites is to make customers obtain and set up malicious cell pockets functions. These pockets apps are trojanized copies of reputable ones – that’s the reason they work as actual wallets on a sufferer’s system – nonetheless, they’re patched with just a few strains of malicious code that’s answerable for stealing the sufferer’s secret seed phrase.
This refined assault required the attackers to carry out an in-depth evaluation of every pockets utility first, to establish the precise locations within the authentic code to inject their malicious code, after which to advertise them and make them accessible for obtain by means of pretend web sites.
We want to attraction to the cryptocurrency group, primarily newcomers, to remain vigilant and use solely official cell wallets and alternate apps, downloaded from official app shops which might be explicitly linked to the official web sites of such providers, and to remind iOS system customers of the hazards of accepting configuration profiles from something however essentially the most reliable of sources.
ESET Analysis now additionally provides personal APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.
|First seen||MD5||SHA-1||SHA-256||Package deal identify||Description||C&C||ESET detection identify|
|2021‑12‑19||1AA2F6795BF8723958313BAD7A2657B4||B719403DC3743D91380682EAC290C3C67A738192||5DA813FEC32E937E5F2AE82C57842FDED71F0671E1D8E6FD50FF8521D183F809||com.pockets.crypto.trustapp||Trojanized model of Belief Pockets Android utility.||two.shayu[.]la||Android/FakeWallet.B|
|2022‑01‑19||E7CEBF27E8D4F546DA9491DA78C5D4B4||BC47D84B8E47D6EAF501F2F0642A7C4E26EC88B6||A4D875C13B46BC744D18BB6668F17EA67BFF85B26CF0D46100736BD62DB649AE||com.pockets.crypto.trustapp||Trojanized model of Belief Pockets Android utility.||725378[.]com||Android/FakeWallet.D|
|2022‑02‑05||22689A6DA0FC86AD75BF62F3B172478D||CDB96862A68A1C01EA5364CB03760AE59C2B0A74||127E4DA1614E42B541338C0FAACD7C656655C9C0228F7D00EC9E13507FA0F9E9||com.bitpie||Trojanized model of Bitpie Android utility.||bp.tkdt[.]cc||Android/FakeWallet.AB|
|2022‑02‑07||4729D57DF40585428ADCE26A478C1C3A||E9B7D8F93B4C04B5DC3D1216482035C242F98F24||0B60C44749B43147D40547B438B8CCB50717B319EF20D938AB59F0079D1BA57C||cce4492155695349d80ad508d33e33ae93772fba39e50c520f3f6deaf43c8e2780b40762eosIM0.ipa||Trojanized model of Bitpie iOS utility.||jdzpfw[.]com||iOS/FakeWallet.A|
|2022‑02‑04||6D0C9DDD18538494EB9CA7B4BC78BDB0||3772A8ACD9EB01D2DC8124C9CDA4E8F4219AE9F3||9017EF4A85AC85373D0F718F05F4A5C441F17AE1FD9A7BFD18521E560E6AB39E||com.bixin.pockets.mainnet||Trojanized model of OneKey Android utility.||okay.tkdt[.]cc||Android/FakeWallet.AA|
|2022-01-20||140DB26EB6631B240B3443FDB49D4878||869155A5CB6D773243B16CCAF30CEC5C697AC939||8ADCD1C8313C421D36EB6C4DF948D9C40578A145764E545F5AC536DC95ED2069||io.metamask||Trojanized model of MetaMask Android utility.||725378[.]com||Android/FakeWallet.F|
|2022-01-20||A2AFDED28CB68CADF30386FC15A26AFA||5B0363F1CB0DB00B7449ABE0B1E5E455A6A69070||FD88D8E01DB36E5BE354456F1FB9560CE9A3328EEFBF77D5560F3BDDA1856C80||io.metamask||Trojanized model of MetaMask Android utility.||xdhbj[.]com||Android/FakeWallet.E|
|2022-01-21||383DB92495705C0B25E56785CF17AAC9||CF742505000CCE89AB6AFCAEC7AB407F7A9DFB98||0ED22309BF79221B5C099285C4CDE8BAB43BA088890A14707CC68BC7A8BA15AE||io.metamask||Trojanized model of MetaMask Android utility.||api.metamasks[.]me||Android/FakeWallet.H|
|2022-01-21||B366FCF5CA01A9C51806A7E688F1FFBE||399C85CCC752B1D8285B9F949AC1F4483921DE64||49937230ABB29118BDA0F24EBEFD9F887857814C9B4DC064AED52A9A3C278D53||io.metamask||Trojanized model of MetaMask Android utility.||replace.xzxqsf[.]com||Android/FakeWallet.I|
|2022-01-19||B6E8F936D72755A812F7412E76F6968E||E525248D78D931AF92E2F5376F1979A029FA4157||0056027FBC4643D24282B35F53E03AC1E4C090AA22F2F88B1D8CBD590C51F399||io.metamask||Trojanized model of MetaMask Android utility.||metamask.tptokenm[.]dwell||Android/FakeWallet.G|
|2022‑02‑01||54053B4CCACAA36C570A4ED500A8C4A2||99144787792303F747F7EF14B80860878A204497||553209AEEA2515F4A7D76CE0111DD240AEAD97FAC149ACC3D161C36B89B729D8||io.metamask||Trojanized model of MetaMask Android utility.||imtokenss.token-app[.]cc||Android/FakeWallet.P|
|2022‑02‑04||15BDC469C943CF563F857DE4DCA7FCC5||664F1E208DA29E50DF795144CB3F80C9582B33E3||CD896A7816768A770305F3C2C07BCC81ABDF1F18B9F3C2B48B4494704A3B61B7||io.metamask||Trojanized model of MetaMask Android utility.||jdzpfw[.]com||Android/FakeWallet.W|
|2021-12-11||A202D183B45D3AB10221BCB40A3D3EC2||15D11E0AB0A416DB96C0713764D092CB245B8D17||E95BF884F1AE27C030C56E95969C00200B22531DC2C794975D668F1DD0AEEDDD||io.metamask||Trojanized model of MetaMask Android utility.||mm.tkdt[.]cc||Android/FakeWallet.X|
|2022‑02‑04||CC6E37F6C5AF1FF5193828DDC8F43DF0||452E2E3A77E1D8263D853C69440187E052EE3F0A||A58B9C7763727C81D40F2B42CCCA0D34750CDF84FC20985699A6E28A4A85094F||io.metamask||Trojanized model of MetaMask Android utility.||admin.metamaskio[.]vip||Android/FakeWallet.Z|
|2022‑02‑07||68A68EFED8B70952A83AA5922EA334BD||4450F4ED0A5CF9D4F1CA6C98FC519891EF9D764F||3F82BA5AB3C3E9B9DDEAA7C33C670CE806A5E72D409C813FF7328434E2054E6D||6vugkf43gx.ipa||Trojanized model of MetaMask iOS utility.||admin.metamaskio[.]vip||iOS/FakeWallet.A|
|2022‑02‑07||1EE43A8046FA9D68C78619E25CD37249||2B741593B58E64896004461733B7E86D98EB7B7D||EB5EB7E345E4C48F86FB18ABC0883D61E956A24D5A9A4B488C2FDD91F789033A||00835616-3548-4fa4-8aee-828585de7680.ipa||Trojanized model of MetaMask iOS utility.||725378[.]com||iOS/FakeWallet.A|
|2022-02-01||9BFEE43D55DFD5A30861035DEED9F4B0||4165E9CDFC10FA118371CB77FE4AD4142C181B23||E1BF431DC0EBB670B743012638669A7CE3D42CE34F8F676B1512601CD8A6DBF0||im.token.app||Trojanized model of imToken Android utility.||admin.token2[.]membership||Android/FakeWallet.L|
|2022-02-01||D265C7894EDB20034E6E17B4FFE3EC5D||78644E1256D331957AA3BF0AC5A3D4D4F655C8EA||15C1532960AE3CAA8408C160755944BD3ABC12E8903D4D5130A364EF2274D758||im.token.app||Trojanized model of imToken Android utility.||replace.imdt[.]cc||Android/FakeWallet.M|
|2022-02-01||14AA1747C28FFC5CDB2D3D1F36587DF9||0DFD29CD560E0ACB6FCAF2407C504FEB95E3FC19||CB9757B7D76B9837CFC153A1BA9D1AC821D2DBDB09ED877082B0D041C22D66E9||im.token.app||Trojanized model of imToken Android utility.||imbbq[.]co||Android/FakeWallet.O|
|2022-01-05||3E008726C416963D0C5C78A1E71EBA65||16A0C8C24EF64F657696E176700A83B76FDA39C7||3069A2EED380D98AAE822A9B792927B498234C37E6813193B5881922992BAFEE||im.token.app||Trojanized model of imToken Android utility.||ds-super-admin.imtokens[.]cash||Android/FakeWallet.Q|
|2022-02-01||CA3231E905C5308DE84D953377BB22C2||9D79392B1027C6E2AAD3B86C2E60141B8DF0879E||1D7D0D75319BFFF0C2E2E268F0054CAABD9F79783608292C2A6C61FABE079960||im.token.app||Trojanized model of imToken Android utility.||appapi.imtoken[.]porn||Android/FakeWallet.S|
|2021-12-13||C3B644531FC9640F45B22C76157350B6||AE22B21038787003E9B70BC162CCA12D5767EEBF||8E63CE669A7865B867C2D33CBCB69677E3CE51C3FBAB131171C8017E41F4EC5A||im.token.app||Trojanized model of imToken Android utility.||bh.imtoken[.]sx||Android/FakeWallet.AI|
|2022‑02‑09||A62B00BF3F37EABB32D38AB4F999AB42||CA6DAF6645B2832AA5B0CC0FEAB41A848F7803D3||A6E6A4C80906D60CBEA4643AC97235B308F5EF35C5AB54B38BF63280F6A127D4||im.token.app||Trojanized model of imToken Android utility.||ht.imtoken.cn[.]com||Android/FakeWallet.AJ|
|2022-01-18||90B4C4CE9A0019ACB0EEDBA6392E8319||4A4C98D6E758536A20442A2FA9D81220FB73B56B||731F1952142CFFE3DBDD6CCD5221AEC6EC91679308F0A9D46B812B62EC861AEF||org.toshi||Trojanized model of Coinbase Pockets Android utility.||180.215.126[.]33:51148||Android/FakeWallet.C|
|2022-01-31||E27A4039D0A0FFD0C34E82B090EFE2BD||4C8DE212E49386E701DB212564389241CE4A7E5A||4736ECA0030C86D1AFA2C01558ED31151C3A72BA24D9ED278341AB3DF71467E5||org.toshi||Trojanized model of Coinbase Pockets Android utility.||token-lon[.]me||Android/Spy.Agent.BYH|
|2022‑02‑07||6EFEF97F0633B3179C7DFC2D81FE67FB||0E419606D6174C36E53601DA5A10A7DBB3954A70||A092C7DD0E9DEF1C87FB8819CB91B4ECE26B140E60E5AD637768113733541C2B||cce4492155695349d80ad508d33e33ae93772fba_3858264b86e27f12.ipa||Trojanized model of Token Pocket iOS utility.||jdzpfw[.]com||iOS/FakeWallet.A|
|2022-01-19||149B8AADD097171CC85F45F4D913F194||51F038BC7CBB0D74459650B947927D916F598389||A427759DE6FE25E1B8894994A226C4517BB5C97CF893EC4B50CBD7A340F34152||com.cjaxx.libertywallet.alternate||Pretend Jaxx Liberty pockets.||ariodjs[.]xyz||Android/FakeApp.OC|
|2022-01-12||3ED898EA1F47F67A80A7DD5CF0052417||022D9FBC989CA022FA48DF7A29F3778AFD009FFD||BD626C5BD36E9206C48D0118B76D7F6F002FFCF2CF5F1B672D6D626EE09836BD||com.jaxx_liberty.walletapp||Pretend Jaxx Liberty pockets corrupted pattern.||Not included||Android/FakeApp.NT|
|2022-01-19||D7B1263F7DA2FDA0FB81FBDAC511454C||F938CEC631C8747AAE942546BB944905A35B5D7B||206123F2D992CD236E6DB1413BCFE4CE9D74721D509A0512CF70D62D466B690D||com.jaxx_libertyfy_12.jaxxwalletpro||Pretend Jaxx Liberty pockets.||spspring.herokuapp[.]com||Android/FakeApp.NT|
|2022-01-12||C3CBA07BEAF3F5326668A8E26D617E86||85ED0E51344E3435B3434B935D4FFCADAF06C631||1FE95756455FDDE54794C1DDDFB39968F1C9360E44BF6B8CE9CEF9A6BEDA4EE1||com.jaxxwebliberty.webviewapp||Pretend Jaxx Liberty pockets.||jaxx[.]tf||Android/FakeApp.NV|
|2022-01-19||8F2B2272C06C4FE5D7962C7812E1AEA7||9D279FCA4747559435CCA2A680DB29E8BAC1C1F5||039544846724670DAE731389EB6E799E17B085DDD6D4670536803C5C3CEB7496||com.MBM.jaxxw||Pretend Jaxx Liberty pockets.||master-consultas[.]com/jaxliberty/||Android/FakeApp.OB|
|2022-01-19||99B4FF9C036EE771B62940AB8A987747||CE0380103B9890FD6B6F19C34D156B68E875F00C||8C8F65A70677C675EE2AF2C70DD439410DE3C3D0736FFC20D1AB7F1DA3F47956||com.VRA.jaxx||Pretend Jaxx Liberty pockets.||master-consultas[.]com/jaxliberty/||Android/FakeApp.NZ|
|2022-01-12||9D9D85400771684BE53012B828832F31||45DA3F337ABA9454323DF9B1F765E7F8439BFFD8||58106983A575DF14291AC501221E5F7CCD6CE2239CBFEC089A7596EEBE3DFA9C||crp.jaxwalet.com||Pretend Jaxx Liberty pockets.||Telegram chat_id: 959983483||Android/FakeApp.NS|
|2022-01-19||271550A137B28DB5AF457E3E48F2AAB0||5605426A09E0DD285C86DB0DE335E7942A765C8E||F87CC7B548A3AD8D694E963013D2D0370FE6D37FC2024FBE624844489B4C428D||io.jaxxc.ertyx||Pretend Jaxx Liberty pockets.||czbsugjk[.]xyz||Android/FakeApp.OE|
|2022-01-19||28DB921C6CFD4EAD93DF810B7F514AEE||3B6E2966D3EF676B453C3A5279FFF927FA385185||19F0F9BF72C071959395633A2C0C6EB54E31B6C4521311C333FA292D9E0B0F1D||io.jaxxc.ertyxcc||Pretend Jaxx Liberty pockets.||czbsugjk[.]xyz||Android/FakeApp.OF|
|2022-01-19||F06603B2B589D7F82D107AB8B566D889||568546D9B5D4EA2FBDE53C95A76B26E8655D5BC5||CAAD41986C5D74F8F923D258D82796632D069C5569503BFB16E7B036945F5290||jax.wall.alternate.bnc||Pretend Jaxx Liberty pockets.||jaxxwalletinc[.]dwell||Android/FakeApp.OA|
|2022-01-19||F4BEACADF06B09FD4367F17D3A0D8E22||97E13DBD320EE09B5934A3B4D5A7FF23BA11E81C||A99AA5412EA12CB7C2C1E21C1896F38108D7F6E24C9FDD7D04498592CF804369||jaxx.libertycryptowallet.ltd||Pretend Jaxx Liberty pockets.||jabirs-xso-xxx-wallet[.]com||Android/FakeApp.OD|
|2022-01-12||295E7E67B025269898E462A92B597111||75F447226C8322AE55D93E4BCF23723C2EAB30E3||2816B84774235DFE2FBFCC2AF5B2A9BE3AB3A218FA1C58A8A21E7973E640EB85||web.jxxwalltpro.app||Pretend Jaxx Liberty pockets.||jaxx.podzone[.]org||Android/FakeApp.NW|
|2022-01-12||6D9CF48DD899C90BA7D495DDF7A04C88||3C1EF2ED77DB8EFA46C50D781EF2283567AFC96F||DB9E9CF514E9F4F6B50937F49863379E23FE55B430FFB0DB068AE8ED2CA0EEE8||pockets.cryptojx.retailer||Pretend Jaxx Liberty pockets.||saaditrezxie[.]retailer||Android/FakeApp.NU|
|185.244.150[.]159||Dynadot||token2[.]membership Distribution web site|
|3.33.236[.]231||GoDaddy||2022-01-27 16:55:51||imtoken[.]porn Distribution web site|
|172.67.210[.]44||广州云 讯 信息科技有限公司||2022-01-24 12:53:46||imtken[.]cn Distribution web site|
|172.67.207[.]186||GoDaddy||2021-12-01 17:57:00||im-token[.]one Distribution web site|
|47.243.75[.]229||GoDaddy||2021-12-09 11:22:03||imtokenep[.]com Distribution web site|
|154.82.111[.]186||GoDaddy||2022-01-24 11:43:46||imttoken[.]org Distribution web site|
|104.21.89[.]154||GoDaddy||2022-01-24 11:26:23||imtokens[.]cash Distribution web site|
|104.21.23[.]48||N/A||2022-01-06 12:24:28||mtokens[.]im Distribution web site|
|162.0.209[.]104||Namecheap||2020-10-02 11:14:06||tokenweb[.]on-line Distribution web site|
|156.226.173[.]11||GoDaddy||2022-01-27 17:04:42||metamask-wallet[.]xyz Distribution web site|
|103.122.95[.]35||GoDaddy||2022-01-24 11:04:56||metemas[.]me Distribution web site|
|104.21.34[.]145||GoDaddy||2021-11-12 20:41:32||metamasks[.]me Distribution web site|
|8.212.40[.]178||TopNets Know-how||2021-05-31 08:29:39||metamask[.]hk Distribution web site|
|45.116.163[.]65||Xin Web Know-how||2021-10-18 16:24:49||metamaskey[.]com Distribution web site|
|172.67.180[.]104||NameSilo||2021-10-01 13:26:26||2022mask[.]com Distribution web site|
|69.160.170[.]165||Hefei Juming Community Know-how||2022-01-13 12:25:38||metamadk[.]com Distribution web site|
|104.21.36[.]169||NameSilo||2021-11-28 03:54:13||metemasks[.]dwell Distribution web site|
|45.116.163[.]65||阿里云 计 算有限公司（万网）||2021-12-10 15:39:07||bitpiecn.com[.]cn Distribution web site|
|45.116.163[.]65||Xin Web Know-how||2021-11-06 13:25:43||tokenp0cket[.]com Distribution web site|
|104.21.24[.]64||NameSilo||2021-11-14 07:29:44||im-tokens[.]data Distribution web site|
|104.21.70[.]114||NameSilo||2021-12-30 13:39:22||tokenpockets[.]buzz Distribution web site|
|172.67.201[.]47||NameSilo||2022-02-06 03:47:17||bitepie[.]membership Distribution web site|
|104.21.30[.]224||NameSilo||2021-11-22 08:20:59||onekeys[.]dev Distribution web site|
|206.119.82[.]147||Gname||2021-12-23 21:41:40||metamaskio[.]vip Distribution web site|
|45.116.163[.]65||Xin Web Know-how||2021-12-10 15:33:41||zh-imtoken[.]com Distribution web site|
|47.243.117[.]119||广州云 讯 信息科技有限公司||2021-10-18 11:36:07||bitoken.com[.]cn Distribution web site|
|104.21.20[.]159||NameSilo||2021-11-19 16:39:52||lmtokenn[.]cc Distribution web site|
|104.21.61[.]17||NameSilo||2021-12-30 12:33:04||lntokems[.]membership Distribution web site|
|104.21.26[.]245||NameSilo||2021-11-26 18:39:27||matemasks[.]date Distribution web site|
|172.67.159[.]121||NameSilo||2022-02-06 03:48:54||bitpio[.]com Distribution web site|
|172.67.171[.]168||NameSilo||2022-02-06 03:50:25||onekeys[.]mobi Distribution web site|
|172.67.133[.]7||NameSilo||2021-12-28 06:57:00||tokenpockets[.]org Distribution web site|
|216.83.46[.]49||Dynadot||2022-01-17 17:22:40||app-coinbase[.]co Distribution web site|
|172.67.182[.]118||Gandi SAS||2022-02-13 00:46:46||imtoken[.]sx Distribution web site|
|104.21.34[.]81||N/A||2022-01-20 18:24:30||imtoken.web[.]im Distribution web site|
|104.21.87[.]75||Nets To||imtoken.cn[.]com Distribution web site|
|104.21.11[.]70||NETMASTER SARL||imtoken[.]tg Distribution web site|
|188.8.131.52||NameSilo||2022-02-06 03:52:06||replace.imdt[.]cc C&C|
|97.74.83[.]237||GoDaddy||2022-01-27 18:44:33||imbbq[.]co C&C|
|172.67.189[.]148||GoDaddy||2022-01-27 16:07:53||ds-super-admin.imtokens[.]cash C&C|
|156.226.173[.]11||GoDaddy||2022-01-19 14:59:48||imtokenss.token-app[.]cc C&C|
|45.154.213[.]11||Alibaba Cloud Computing||2021-12-31 21:48:56||xdhbj[.]com C&C|
|47.242.200[.]140||Alibaba Cloud Computing||2021-05-28 11:42:54||replace.xzxqsf[.]com C&C|
|45.155.43[.]118||NameSilo||2021-09-24 10:03:29||metamask.tptokenm[.]dwell C&C|
|172.67.223[.]58||GoDaddy||2022-01-19 22:51:08||two.shayu[.]la C&C|
|45.154.213[.]18||Xin Web Know-how||2018-08-03 23:00:00||jdzpfw[.]com C&C|
|104.21.86[.]197||NameSilo||2022-02-06 03:48:48||bp.tkdt[.]cc C&C|
|104.21.86[.]197||NameSilo||2022-02-06 04:04:29||okay.tkdt[.]cc C&C|
|172.67.136[.]90||NameSilo||2022-02-03 02:00:42||mm.tkdt[.]cc C&C|
|8.210.235[.]71||Dynadot||2021-07-16 13:25:06||token-lon[.]me C&C|
|172.67.182[.]118||Gandi SAS||2022-02-13 00:51:18||bh.imtoken[.]sx C&C|
|172.67.142[.]90||Nets To||ht.imtoken.cn[.]com C&C|
|184.108.40.206||Title.com||2022-02-13 00:59:59||api.tipi21341[.]com C&C|
|89.223.124[.]75||Namecheap||2022-01-18 11:34:56||ariodjs[.]xyz C&C|
|199.36.158[.]100||MarkMonitor||2022-02-03 02:22:17||walletappforbit.net[.]app C&C|
|195.161.62[.]125||REGRU-SU||2019-08-04 23:00:00||jaxx[.]su C&C|
|111.90.156[.]9||REGRU-SU||2021-09-29 03:12:49||jaxx[.]tf C&C|
|111.90.145[.]75||Internet hosting Ideas B.V. d/b/a||2018-09-11 23:00:00||master-consultas[.]com C&C|
|104.219.248[.]112||Namecheap||2022-01-19 23:03:52||jaxxwalletinc[.]dwell C&C|
|50.87.228[.]40||FastDomain||2021-09-09 21:15:10||jabirs-xso-xxx-wallet[.]com C&C|
|88.80.187[.]8||Tucows Domains||2022-01-06 03:52:05||jaxx.podzone[.]org C&C|
|192.64.118[.]16||Namecheap||2022-01-07 16:09:06||saaditrezxie[.]retailer C&C|
Be aware: This desk was constructed utilizing version 10 of the ATT&CK framework.
|Preliminary Entry||T1444||Masquerade as Authentic Utility||Pretend web site supplies trojanized Android and/or iOS apps for obtain.|
|T1478||Set up Insecure or Malicious Configuration||Pretend web site supplies a obtain of a malicious configuration profile for iOS.|
|T1475||Ship Malicious App through Licensed App Retailer||Pretend cryptocurrency pockets apps had been distributed through Google Play.|
|Credential Entry||T1417||Enter Seize||Trojanized pockets apps intercept seed phrases throughout preliminary pockets creation. Pretend Jaxx apps request seed phrase underneath the guise of connecting to the sufferer’s Jaxx account.|
|Exfiltration||T1437||Customary Utility Layer Protocol||Malicious code exfiltrates restoration seed phrase over commonplace HTTP or HTTPS protocols.|