Backdoored Web3 Wallets For Android, iOS Users Being Distributed by Chinese Cybercriminals 

Backdoored Web3 Wallets For Android, iOS Users Being Distributed by Chinese Cybercriminals 

SeaFlower, a technically competent threat actor, has been attacking Android and iOS users. His actions are a part of a large-scale operation to install backdoored applications that drain victims’ money by imitating legitimate cryptocurrency wallet websites. 

According to the macOS usernames, source code comments in the backdoor code, and its usage of Alibaba’s Content Delivery Network (CDN), the cluster of activity “hint[s] to a strong relationship with a Chinese-speaking entity yet to be uncovered.” 

“As of today, the main current objective of SeaFlower is to modify Web3 wallets with backdoor code that ultimately exfiltrates the seed phrase,” said Confiant’s Taha Karim in a technical deep-dive of the campaign. 

Coinbase Wallet, MetaMask, TokenPocket, and imToken are among the apps targeted for Android and iOS. SeaFlower’s method entails creating cloned websites that serve as a conduit for downloading trojanized wallet programs that are nearly identical to their original counterparts save for the addition of new code that exfiltrates the seed phrase to a remote domain. 

The malicious activity is also designed to target iOS users through provisioning profiles, which allow programs to be sideloaded onto devices. The attack uses SEO poisoning tactics on Chinese search engines like Baidu and Sogou to do searches for phrases like “download MetaMask iOS” and reveal the drive-by download URLs at the top of the search results page. 

The revelation, if anything, emphasizes how threat actors are increasingly targeting popular Web3 platforms in an attempt to steal sensitive data and falsely transfer virtual money. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: