ESET discovers the first clipper malware in Google Play

The malware that steals Criptomonedas Bitcoin and Ethereum by replacing the address of a wallet in the Clipboard, is no longer limited to Windows or to unofficial stores for Android applications.

ESET, a leader in proactive threat detection, discovered the first malware for Android capable of replacing the contents of the device’s clipboard in the Google Play store. Aiming at operations with the Criptomonedas Bitcoin and Ethereum, this malicious code called “Clipper” aims to redirect funds transferred to the attacker’s wallet instead of the victim. . The author of the discovery, the researcher of ESET Lukáš Štefanko, will be at the Mobile World Congress 2019 in Barcelona, ranking at the Stand 7H41 of Pavilion 7.

“This discovery shows that malicious codes that can redirect the Criptomoneda funds are no longer linked only to Windows or in clandestine forums where malicious applications for Android are sold. Now, all Android users should be careful with them, “says Lukáš Štefanko, ESET’s malware researcher

The recently discovered Clipper, it takes advantage that those who perform criptomoneda operations usually do not enter their wallets ‘ addresses online manually. Instead of writing them, users tend to copy and paste addresses using the Clipboard. Malware can replace the address with one that belongs to the attacker.

The Clippers appeared for the first time in the Windows ecosystem in 2017. In 2018, ESET researchers even discovered three of these malicious applications hosted at, one of the world’s most popular software hosting sites. In August 2018, it was discovered that the first Android Clipper was sold in clandestine piracy forums and, since then, this malware has been detected in several suspicious-application stores.

For 2019 ESET Researchers discover the first malicious code of the Clipper type within the official Google Play App Store. “Fortunately, we saw this clipper shortly after it was introduced. We informed the security team of Google Play and eliminated the application of the store, says Lukáš Štefanko.

The clipper found by ESET in the Google Play store is pretending to be a legitimate service called Metamask. This service, designed to allow the execution of decentralized applications of Ethereum in a browser without running a full node of Ethereum, exists in the form of plugins for desktop browsers like Chrome and Firefox. A mobile version of the service is not available. “There seems to be a demand for a mobile version of Metamask. Cyber criminals are aware of this demand and hide malware that is made to go through the service to the Play Store, warns Lukáš Štefanko.

In addition, this previous Metamask spoofing malware goes behind the user’s Bitcoin or Ethereum funds. However, you simply try to deceive the user into entering his or her wallet address in a false form and therefore reveal this confidential information to the attacker.

“With a clipper installed on the victim’s device, stealing funds cannot be easier. It is the victims themselves who inadvertently send the information so that the attacker can enter their account and be able to access their funds directly, “explains Lukáš Štefanko.

This first appearance of Clipper malware on Google Play is another call for Android users to follow best practices for mobile security. To keep you safe from the Clippers and other malicious Android programs, from ESET we recommend:

  • Keep your Android device up to date and use a reliable mobile security solution
    • Stick to the official Google Play store when you Download applications.
  • Always review the official website of the application developer or service provider for the link to the official application. If there is not, it should be considered as a red flag and you have to be extremely careful with any search results in Google Play.
  • Review every step in all transactions that involve something valuable, from confidential information to money. When using the Clipboard, always check if what was stuck is what you intended to enter.