A highly sophisticated threat actor has been observed targeting Android and iOS users in an attempt to spread backdoored apps filled with malicious code designed to drain users’ funds.
Digital advertising security company Confiant has uncovered and reported on this previously unreported campaign, which it has dubbed SeaFlower.
This malicious campaign is replicated from websites that mimic the official or legit cryptocurrency wallet websites (Web3 wallets).
Apps Targeted
At the moment the hackers are targeting primarily iOS and Android apps like:-
- Coinbase Wallet
- MetaMask Wallet
- TokenPocket
- imToken
Modus operandi
There is no evidence of a compromise of these apps by the attackers, instead, they create malicious versions of these apps that include their own backdoors.
Malicious versions of these wallet apps combine the wallet’s legitimate functionalities with the functionality of stealing a user’s seed phrase through which they can then leverage the stolen cryptocurrency of their victims.
A cluster of activity involving SeaFlower was first discovered in March 2022. While the following things that we have mentioned below are the indicators that helped the security experts with detection:-
- macOS usernames
- Original code comments within the backdoor
- Misuse of Alibaba’s CDN
In the past few months, the attackers have created websites in order to distribute fake applications. They have created clones of the legit website of the app they are trying to distribute.
Apart from this, Baidu and other Chinese search engines are primarily targeted in an attempt to lure potential victims to this site with search engine poisoning.
Further Analysis
In addition to targeting iOS users, the malicious action targets them by exploiting the provisioning profiles of iOS devices. In short, SeaFlower uses provisioning profiles when it comes to iOS.
Aside from being sideloaded on the victim’s device, the iOS apps of the malware are also installed on it. Moreover, Apple has already revoked the developer IDs associated with these profiles after Confiant informed it about them.
In this particular case, the investigation has revealed that this malicious campaign has been carried out by the Chinese threat actors due to a variety of factors. While here below we have mentioned the key factors that indicate the threat actors behind this campaign are Chinese threat actors:-
- Use of Chinese names as usernames
- Chinese Source code comments
- Abuse of legit Chinese search engines
- Use of Chinese infrastructure
