A technically refined risk actor referred to as SeaFlower has been concentrating on Android and iOS customers as a part of an in depth marketing campaign that mimics official cryptocurrency pockets web sites meaning to distribute backdoored apps that drain victims’ funds.
Stated to be first found in March 2022, the cluster of exercise “trace[s] to a powerful relationship with a Chinese language-speaking entity but to be uncovered,” primarily based on the macOS usernames, supply code feedback within the backdoor code, and its abuse of Alibaba’s Content material Supply Community (CDN).
“As of immediately, the primary present goal of SeaFlower is to change Web3 wallets with backdoor code that in the end exfiltrates the seed phrase,” Confiant’s Taha Karim mentioned in a technical deep-dive of the marketing campaign.
Focused apps embrace Android and iOS variations of Coinbase Pockets, MetaMask, TokenPocket, and imToken.
SeaFlower’s modus operandi entails organising cloned web sites that act as a conduit to obtain trojanized variations of the pockets apps which are nearly unchanged from their unique counterparts aside from the addition of recent code designed to exfiltrate the seed phrase to a distant area.
The malicious exercise can be engineered to focus on iOS customers via provisioning profiles that allow the apps to be sideloaded onto the gadgets.
As for the way customers bump into these web sites providing fraudulent wallets, the assault leverages search engine optimization poisoning strategies on Chinese language engines like google like Baidu and Sogou in order that searches for phrases resembling “obtain MetaMask iOS” are rigged to floor the drive-by obtain pages on prime of the search outcomes web page.
If something, the disclosure as soon as once more highlights how risk actors are more and more setting their sights on well-liked Web3 platforms in an try to plunder delicate information and deceptively switch digital funds.