An Android crypto wallet stealer

With the rise in popularity and investments in Crypto currency there has been a rise in Crypto related scams as well. SonicWall Threats Research team identified an Android crypto wallet stealing malicious Android application.

• MD5:70b07a67b618a6352bf35a735645b156
• Package Name: com.test.accessibility
• Application Name: Airdrop

Initial Activity

Upon installation and execution the app requests the user to grant Accessibility Services:

The app needs these services so that it can perform clicks in the background on behalf of the user. This is the modus-operandi used by the app to steal crypto wallets from the targeted wallet app - com.wallet.crypto.trustapp.

Accessibility Services

In order to gain the user's trust and to convince the user to grant Accessibility Services, the malware provides an explanation to the user:

The malware creates a service - com.test.accessibility.MyAccessibilityService - that contains a number of interesting elements

• Hardcoded server URL - http://159.69.139.252:999

• Elements of communication using Telegram bot

• A number of app elements related to the target wallet app - com.wallet.crypto - which govern the different components of the legitimate crypto wallet app

• performAction(16) can be seen at several places in the code. This action performs a 'click' or 'touch' on a mobile device, so these actions are intended to click a button. Accessibility services allows an application to perform such clicks in the background without the user's knowledge

Overall this malware is a crypto wallet stealer with a single target app that is quite popular on the Google Play store. With the rise in crypto investments we expect more such malicious apps and scams to surface in the near future.

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

• AndroidOS.CryptoStealer.HT