SeaFlower Hackers Steal Crypto With Secret Backdoors In Your Android And iOS Wallets

seaflower steal crypto secret backdoors android ios wallets news
Last week, the US Federal Trade Commission (FTC) published a report according to which cryptocurrency scammers have swindled Americans out of over $1 billion since 2021. Cryptocurrency scams are rampant on social media sites, as well as messaging apps like Telegram. The scams often trade on the names of cryptocurrency-related celebrities, such as Jack Dorsey and Elon Musk. However, scams are just one way for bad actors to steal cryptocurrency. Rather than tricking unsuspecting victims into handing over their cryptocurrency, some cybercriminals instead turn to malware in order to poach cryptocurrency themselves.

Researchers from Confiant have published their findings detailing an extensive malware campaign the researchers are calling SeaFlower. The campaign is targeted at users of four different cryptocurrency wallets on iOS and Android: MetaMask, Coinbase Wallet, imToken Wallet, and TockenPocket Wallet. The threat actors behind SeaFlower to speak Chinese, judging by code comments written in Chinese, along with a number of other indicators noted by the researchers. The threat actors also appear to be targeting other Chinese speakers most heavily, having conducted an SEO poisoning campaign that has most affected search results from the Chinese-based Baidu search engine. SEO poisoning campaigns leverage search engine optimization (SEO) techniques to boost malicious websites into the top search results for legitimate websites or services.

seaflower steal crypto secret backdoors android ios wallets coinbase news
Malicious clone of the Coinbase Wallet website (source: Confiant)

In this case, the threat actors have successfully boosted malicious clones of websites for legitimate cryptocurrency wallet. The malicious websites appear identical to their legitimate counterparts, but are hosted at domains controlled by the threat actors. The malicious websites include download buttons for Android and iOS apps, but, rather than redirecting users to the Google Play Store or the Apple App Store, the buttons instead attempt to side-load apps onto users’ devices.

seaflower steal crypto secret backdoors android ios wallets metamask news
Installation process for malicious iOS profile (source: Confiant)

In the case of Android, the websites simply serve up an APK file, which users can download and install themselves. However, Apple doesn’t allow for easy app side-loading like on Android, so, rather than serving up an installation package, the websites instead attempt to set up a provisioning profile on iOS devices. These profiles come with developer keys that allow for the side-loading of the malicious apps.

Once installed, the malicious apps appear and function identically to the legitimate cryptocurrency wallet apps they mimic. However, the malicious apps come with backdoors that log the wallet seed phrases, addresses, and balances and send that information to the threat actors behind the campaign. The threat actors can then use the seed phrases to carry out the account recovery process and gain access to the funds in victims’ wallets. In some cases, the code containing the backdoors is encrypted, meaning anyone inspecting the code for malicious behavior must first use the included cryptographic keys to decrypt the malicious code before discovering what the code does.

In order to avoid falling prey to a malicious app campaign such as this one, iOS users should never allow outside provisioning profiles to be installed on their devices, and Android users should install apps only from trusted sources. All of the wallet apps targeted by this particular attack can be found in the Google Play Store and Apple App Store, so users should download and install them there.

The researchers have provided the hashes for one of the malicious Android apps and all four malicious iOS apps distributed as part of the SeaFlower campaign, so others can identify the malicious apps.

Coinbase Wallet Android app
SHA-256 of the APK:

Coinbase Wallet iOS app
SHA-256 of the .IPA analyzed:

MetaMask iOS app
SHA-256 .IPA file analyzed:

imToken Wallet iOS app
SHA-256 of the .IPA analyzed:

TokenPocket iOS Wallet
SHA-256 of the .IPA file analyzed: