Fake Version of MetaMask that Steals Crypto Found in Google Play Store
02.11.2019

MetaMask, the browser extension that allows users of Chrome, Firefox, Opera, and Brave to interact with Ethereum dapps, has recently been targeted by scammers who managed to get a fake version of the MetaMask app listed in the Google Play store.

The discovery of the malicious app was made public Friday by Lukas Stefanko, malware researcher with internet security firm ESET. Stefanko tweeted a link to a blog post about the malware, screenshots of the app as it appeared in the Play store, and a section of the malicious code.

In fact, MetaMask has not yet launched a mobile app, although the company announced that one was under development in November. Exploiting the expectation for a mobile product, cybercriminals created a developer profile for “Mmask Inc,” and uploaded a fake version of the MetaMask app to the Play store.

The main purpose of the malware, Stefanko writes, is to steal the victim’s credentials and private keys, thus gaining control of the user’s cryptocurrency wallets. A secondary function involves an attack script known as a “clipper,” which replaces any bitcoin or Ethereum address copied to the user’s clipboard and replaces it with an address owned by the scammer.

Clipper code in the fake MetaMask app. (source: Lukas Stefanko)

The malicious code was spotted soon after the fake version of MetaMask was uploaded to the store, and after the Google Play security team was notified the app was quickly removed.

According to Stefanko, while clipper malware code has been observed in apps available from unofficial Android download sources, it’s the first time that this kind of malware has successfully made it to the Play store. Last month, malware using a similar attack vector was discovered in torrented movie files, this time targeting the users of Windows machines.

Google and MetaMask were not immediately available for comment. The article will be updated with any response.