What Is Clipper Malware and How Does It Affect Android Users?

clipper-malware

On January 8, 2019, we saw the first instance of “clipper malware” on the Google Play store. It disguised itself as an innocent app to fool people into downloading it, then began redirecting cryptocurrency funds to the malware’s author. But what is clipper malware, how does it work, and how can you avoid an attack? What Is Clipper Malware? Clipper malware targets cryptocurrency wallet addresses during a transaction. A wallet address is like the cryptocurrency version of a bank account number. If you want someone to pay you in cryptocurrency, you give them your wallet address and the payee enters…

Read the full article: What Is Clipper Malware and How Does It Affect Android Users?

clipper-malware

On January 8, 2019, we saw the first instance of “clipper malware” on the Google Play store. It disguised itself as an innocent app to fool people into downloading it, then began redirecting cryptocurrency funds to the malware’s author.

But what is clipper malware, how does it work, and how can you avoid an attack?

What Is Clipper Malware?

Clipper malware targets cryptocurrency wallet addresses during a transaction. A wallet address is like the cryptocurrency version of a bank account number. If you want someone to pay you in cryptocurrency, you give them your wallet address and the payee enters it into their payment details.

You can learn more about how cryptocurrency works in our handy guide.

Clipper malware hijacks a cryptocurrency transaction by swapping a wallet address with one owned by the malware author. When the user goes to make a payment from their cryptocurrency account, they end up paying the malware author instead of their intended recipient.

This can cause some serious financial damage if the malware manages to hijack a high-value transaction.

How Clipper Malware Works

Clipper malware performs this swap by monitoring the clipboard of the infected device, where copied data is stored. Every time the user copies data, the clipper checks it to see if it contains any cryptocurrency wallet addresses. If it does, the malware swaps it out with the malware author’s address.

Now, when the user goes to paste the address, they’ll end up pasting the hijacked address instead of the legitimate one.

Clipper malware exploits the complicated nature of wallet addresses. These are long strings of numbers and letters that are seemingly chosen at random. Unless a user has used a wallet address multiple times, there’s very little chance that they’ll notice that it’s been swapped.

Even worse, its complexity means people are far more likely to copy and paste the address—exactly what the clipper malware wants!

How Long Has It Been Around?

Clipper malware, by itself, is nothing new. It entered the scene around 2017, and mainly focused on Windows-based machines. Since then, clipper malware for Android has been developed and sold on the black market, and infected apps could be found on shady sites.

Such sites were the staging ground for the 2016 Gooligan malware, which infected 1 million devices.

This is the first instance of an app on the official Google Play store being infected with clipper malware. Successfully uploading an infected app to the official store is every malware distributor’s dream scenario. An app on the Google Play store carries a certain air of authenticity, making it more trustworthy than apps found on a random website.

This means people typically download and install apps from the store without question, which is exactly what malware authors want.

Which Apps Contained Clipper Malware?

The clipper malware dwelled within an app called MetaMask. It’s a real service that enables browser-based distributed applications for the cryptocurrency Ethereum. MetaMask doesn’t have an official Android app yet, so the malware authors capitalized on this to make people think it did.

This phony MetaMask app did more than swap out cryptocurrency addresses in the clipboard. It also asked for the user’s Ethereum details as part of a fake account set-up. Once the unsuspecting user had entered the details, the malware authors had all the information they need to log into the account and drain it for themselves.

Fortunately, a security firm discovered clipper malware before it did too much damage. The fake MetaMask app was uploaded on February 1st 2019, and was reported and removed just over a week later.

The Rise in Cryptocurrency Attacks

While this attack vector is new, it doesn’t come as too much of a surprise. Cryptocurrencies are very big business these days, and with it comes the potential to make a large amount of money. While most people are satisfied with making money via legal means, there will always be some that seek to exploit others instead.

Cryptojackers are a favorite of malware authors around the globe. These hijack a device’s processor to make it mine cryptocurrency for the author, preferably without the end-user even noticing.

Much like this clipper malware example, security firms found cryptojackers infecting apps on the Google Play store. As such, this may be just the start of cryptocurrency-based malware attacking users on Android phones.

How to Avoid a Clipper Malware Attack

This may sound very scary, but avoiding a clipper malware attack is quite simple. Clipper malware depends on the user being ignorant of its existence and ignoring the warning signs. Learning about how clipper malware works is a big step toward defeating it. By reading this article, you’ve already done 90 percent of the work!

First, always make sure you download apps from the Google Play store. While Google Play is not perfect, it’s a lot safer than shady sites on the internet. Try to avoid sites that act as a ‘third-party store’ for Android, as these are far more likely to contain malware than Google Play.

Google Play App Download Count

When downloading apps on Google Play, double-check the app’s total downloads before installing. If an app hasn’t been around for long and has a low download count, downloading it could be risky. Likewise, if the app claims it’s the mobile version of a popular service, double-check the developer name.

If the name differs (even slightly) from the official developer’s name, it’s a big warning sign that something is wrong.

Even if your phone does get infected with clipper malware, you can avoid an attack by being careful. Double-check any wallet addresses that you paste to ensure it hasn’t changed mid-way through. If the address you paste is different to the one you copied, clipper malware is lurking on your system.

Do a full virus scan and delete any shady apps you may have installed recently.

Clipping the Wings of Clipper Malware

Clipper malware can be devastating for anyone who handles large amounts of cryptocurrency. The complicated nature of wallet addresses, combined with a typical user’s tendency to copy and paste, gives clipper malware a window of opportunity to strike.

Many people may not even realize what they’re doing until it’s too late!

Fortunately, defeating clipper malware is simple. Never download suspicious apps, and double-check all wallet links before confirming a transaction.

Concerned about malware on your mobile device? Here’s how to enhance your smartphone security and beat mobile malware.

Read the full article: What Is Clipper Malware and How Does It Affect Android Users?

What Is Cryptojacking? How Websites Secretly Use Your CPU to Mine Cryptocurrency

cryptojacking-avoid

The rise of cryptojacking didn’t take those in the crypto-and-security worlds by surprise. In fact, the only surprising thing was perhaps the length of time it took malicious actors to use cryptojacking to mine for cryptocurrency. As the cryptocurrency boom took hold at the end of 2017, so did a sudden surge in malicious cryptojacking incidents. The phenomenal peaks of the cryptocurrency boom are long gone; cryptocurrency markets are somewhat stable, albeit still unpredictable. Has the decreased price correlated with a reduction in cryptojacking incidents? Do they relate at all? Here’s what you need to know. What Is Cryptojacking? Cryptojacking…

Read the full article: What Is Cryptojacking? How Websites Secretly Use Your CPU to Mine Cryptocurrency

The rise of cryptojacking didn’t take those in the crypto-and-security worlds by surprise. In fact, the only surprising thing was perhaps the length of time it took malicious actors to use cryptojacking to mine for cryptocurrency.

As the cryptocurrency boom took hold at the end of 2017, so did a sudden surge in malicious cryptojacking incidents.

The phenomenal peaks of the cryptocurrency boom are long gone; cryptocurrency markets are somewhat stable, albeit still unpredictable. Has the decreased price correlated with a reduction in cryptojacking incidents? Do they relate at all? Here’s what you need to know.

What Is Cryptojacking?

Cryptojacking is the coverall term given to a malicious attack where unsuspecting users have their system hardware hijacked to mine cryptocurrency. The basic premise of a cryptojacking browser attack is:

  • An unsuspecting user lands on a compromised webpage.
  • The webpage has a small piece of JavaScript containing the cryptojacking code.
  • The cryptojacking code hijacks the system CPU and puts it use mining cryptocurrency, usually Monero.
  • In some cases, the JavaScript opens a minimized, hidden browser window. When the user leaves the site, the illicit crypto-mining continues.
  • However, most cryptojacking attacks end when the website tab closes.

Cryptojacking isn’t just browser-based. There are several types of malware out there that will mine cryptocurrency after infecting your system. Most malware attempts to stay silent, but cryptojacking malware is more silent than most. The longer a cryptojacking malware variant can remain silent, the larger the potential reward for the attacker.

Cryptojacking, then, is theft. The unsuspecting users aren’t directly losing money, but they are losing system resources to power someone else’s financial gain. And while cryptojacking is malicious, it doesn’t leave any long-term damage to the target system, despite running the CPU at maximum or near-maximum capacity for a short amount of time.

Why Does Cryptojacking Use System Resources?

Cryptocurrency doesn’t grow on trees. No, it grows on servers, waiting for the right miners to come along and release it. Cryptojacking scripts primarily use the system CPU to do this.

Crypto-networks manage transactions through the blockchain. Each network transaction is added to a block. The block is distributed to a network of connected miners for verification. Each miner has a copy of the cryptocurrency specific blockchain and can validate and process transactions for that network.

When the new block arrives, the miner’s system processes complex equations to verify the block contents. On verification, the block adds to the blockchain, and the miners receive a pay-out reward for their efforts. In the case of Bitcoin, the reward is 12.5 BTC, shared between whoever contributes.

The key to crypto-mining success is speed and processing power. How quickly can your system verify the transactions within the block? Bitcoin mining is essentially useless for anyone not using specialized crypto-mining hardware. The sheer volume of mining power simply drowns out a tiny home desktop computer.

If Not Bitcoin, What Are They Mining?

Even as the Bitcoin price dropped from the heady $19,000+ mark back toward its current peaks and troughs, Bitcoin mining is inaccessible. Furthermore, Ethereum and ERC-20-based tokens use GPUs to mine cryptocurrencies. So just what are the cryptojackers attempting to mine?

For the most part, browser cryptojacking scripts and cryptojacking malware are mining Monero. The lightweight, privacy, and anonymity-focused cryptocurrency is easier to mine that Bitcoin and theoretically provides the crypto-mining thieves with protection after the fact. But not all. As you’ll read further down the article, several advanced cryptojacking threats mine Bitcoin.

But even though Monero is infinitely easier to mine than Bitcoin, it still requires raw computing power. Raw computing power requires investment in hardware. And let’s face it, if the mining thieves can steal the hardware with a tiny piece of JavaScript, why wouldn’t they try to maximize the profits?

JavaScript Cryptojacking

The first widespread cryptojacking JavaScript came from CoinHive, a company that wants to alter how we interact with the internet and the advertising profits that essentially underpin everything that takes place.

CoinHive’s vision was for authorized crypto-mining to replace advertising. Websites could still make an income based upon page views and the time spent on the site and users could avoid adverts without feeling awful for using an adblocker (and thus essentially robbing content creators of their fair dues).

Infamous content pirating and torrenting site, The Pirate Bay, was one of the first to experiment with the CoinHive model.

Unfortunately, it wasn’t long before malicious actors realized they could easily repurpose CoinHive’s mining script for more nefarious means. The original script has a CPU mining use percentage command. Originally set to 30% so users could happily continue using their browser, cryptojackers bumped this up to the full 100% on all cores, to maximize profits for the presumably short time most users linger on a malicious landing page.

To be fair to CoinHive, they realized what was going on and issued an update to their script. The newer version, known as AuthedMine, offers users the chance to opt-in to the crypto-mining process, regaining its peaceful-and-original purpose as an advertising alternative. That said, the opt-out is still opt-out. That is to say, website owners don’t have to use AuthedMine, and they’re under no obligation to inform you as to what is eating your CPU alive.

Cryptojacking Evolution

Cryptojacking is evolving. Like all profitable and largely risk-free cyber-attacks, malicious actors always want bigger gains for their investments and are prepared to shift cryptojacking forward to do so.

  • In the early days of cryptojacking, one of the easiest methods to boost profits was to use a redirect loop. Unsuspecting victims are sent through a number of web pages before landing on one that has a crypto-mining script installed.
  • Another already-mentioned technique is opening a new browser window that is minimized and hidden behind the taskbar. The minute browser window is hidden behind the system clock and is then “free” to run until the user notices something is afoot.
  • Some browser extensions were found to conceal crypto-mining scripts without notifying the user. Some extensions were stolen from their developers, had the cryptojacking script injected, then were reuploaded or updated to the extension store. (In fact, Google swiftly banned all Chrome extensions abusing cryptojacking scripts.)

But that’s not all. Home users have relatively low power computers. Those running cryptojacking campaigns quickly realized there are bigger cryptojacking fish to fry: enterprises with powerful super-computers.

In February 2018, electric vehicle manufacturer Tesla announced they were the victims of a cryptojacking attack. RedLock Cloud Security Intelligence revealed that a vulnerable Kubernetes administration console exposed login credentials for a Tesla Amazon Web Service environment, and the hackers immediately turned the massive computing power to crypto-mining. British insurance provider, Aviva, and international digital security firm, Gemalto, also fell foul to the same cryptojacking vulnerability.

Other reports suggest that already vulnerable Internet of Thing devices are a prime target for cryptojacking, too. The Fortinet Threat Landscape Report [sign-up, PDF] found that 23 percent of its respondents were exposed to cryptojacking malware. IoT devices make an attractive, easy target due to their poor security, huge volume, and always-on status.

Cryptojacking Malware Explosion

However, other security leaks also contribute to the cryptojacking landscape. Remember the massive WannaCry ransomworm of 2017? WannaCry was the direct result of a liberated trove of previously unknown zero-day exploits that the NSA developed and amassed covertly. The Shadow Brokers, a hacking group with alleged ties to the Russian government, leaked numerous exploits, including EternalBlue (also styled ETERNALBLUE) which was crucial in spreading the WannaCry ransomworm at such a rapid pace.

Hackers around the world take notice when a tool causes such devastation (only saved by security researcher Marcus Hutchins, aka MalwareTech, who now faces a string of hacking allegations in the US). Combine EternalBlue with a malware payload that mines cryptocurrency and viola: suddenly we have WannaMine. WannaMine was first picked up by Panda Security and, like its ransomworm cousin, is extremely difficult to detect and block.

Nation-State Cryptojacking Malware Campaigns

But it isn’t just “regular” hackers putting cryptojacking malware to use. The North Korean state-sponsored hacking group, Lazarus (of Sony hack infamy), put a cryptojacking trojan to work against several high-profile banking institutions. Aside from the notable direct targeting of banking and financial organizations, the Lazarus “AppleJeus” attack almost uniquely targeted macOS systems, with a Linux exploit said to be in development.

Furthermore, since the presumably moderately successful AppleJeus attack, Lazarus is directly linked to the Ryuk cryptojacking malware which, at the time of writing, had stolen over $600,000. It isn’t just outlandish speculation; the Ryuk cryptojacking malware bears hallmarks of the Lazarus group Hermes malware variant (the same variant used to distract security services during the attempted $60 million heist on Taiwan’s Far Eastern International Bank). The Ryuk malware is interesting in that the targets appear to be hand-picked. That is to say, each ransom-note is different, makes a different demand, and so on. A personal service, almost.

Will Cryptojacking Get Worse?

Well, the rate of cryptojacking directly relates to the price of cryptocurrencies, as you might expect. The Fortinet Threat Landscape Report (linked above) illustrates this with the following chart:

As the price of Bitcoin dropped, so did the incidents of cryptojacking.

Other reports don’t offer the same borderline positive information, though. The McAfee Labs Threats Report June 2018 [PDF] state that the “count of total coin miner malware rose by 629% in Q1, to more than 2.9 million samples.” The report elaborates further, confirming that in comparison with “well-established cybercrime activities such as data theft and ransomware, cryptojacking is simpler, more straightforward, and less risky.”

In that, you can see the appeal of browser-based cryptojacking and cryptojacking malware variants, especially in comparison to other financially motived attacks. Ransomware requires initial investment to spread the infection to enough victims, while victims still have the option to ignore the ransom and not pay, especially if the victim frequently takes system backups.

Cryptojacking isn’t going anywhere. And if cryptocurrency prices begin to rise in earnest, expect more malware to appear rapidly.

Read the full article: What Is Cryptojacking? How Websites Secretly Use Your CPU to Mine Cryptocurrency