SeaFlower, a technically competent threat actor, has been attacking Android and iOS users. His actions are a part of a large-scale operation to install backdoored applications that drain victims’ money by imitating legitimate cryptocurrency wallet websites.
According to the macOS usernames, source code comments in the backdoor code, and its usage of Alibaba’s Content Delivery Network (CDN), the cluster of activity “hint[s] to a strong relationship with a Chinese-speaking entity yet to be uncovered.”
“As of today, the main current objective of SeaFlower is to modify Web3 wallets with backdoor code that ultimately exfiltrates the seed phrase,” said Confiant’s Taha Karim in a technical deep-dive of the campaign.
Coinbase Wallet, MetaMask, TokenPocket, and imToken are among the apps targeted for Android and iOS. SeaFlower’s method entails creating cloned websites that serve as a conduit for downloading trojanized wallet programs that are nearly identical to their original counterparts save for the addition of new code that exfiltrates the seed phrase to a remote domain.
The malicious activity is also designed to target iOS users through provisioning profiles, which allow programs to be sideloaded onto devices. The attack uses SEO poisoning tactics on Chinese search engines like Baidu and Sogou to do searches for phrases like “download MetaMask iOS” and reveal the drive-by download URLs at the top of the search results page.
The revelation, if anything, emphasizes how threat actors are increasingly targeting popular Web3 platforms in an attempt to steal sensitive data and falsely transfer virtual money.