Researchers from ESET have discovered trojanized apps on the Google Play Store designed to steal cryptocurrency funds, primarily from Chinese users. Researchers discovered advertisements on real websites and in Telegram and Facebook groups posing as crypto wallet applications. Based on the potential victim’s operating system (Android or iOS), the apps function differently, but work toward the same goal. To the unsuspecting person downloading the app, it is likely they would not know the malicious function since the wallets are fully operational and can store crypto. ESET researchers found the campaign started at some point in May of 2021 via Telegram. The Telegram groups were then advertised on Facebook. In November of 2021, two legitimate Chinese websites were found to have the advertisements on them. Based on the targeted demographic, there is evidence that leads researchers to believe that the threat actors behind the campaign are based in China.
It is advised that mobile device users only download verified applications directly from the app store. Applications should be vetted prior to download as well. It is likely that campaigns like these will continue as long a cryptocurrency remains popular.