Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in ‘SeaFlower’ Campaign

Cybercriminals likely operating out of China are distributing backdoored versions of iOS and Android Web3 wallets in an effort to steal users’ seed phrase.

Cybercriminals likely operating out of China are distributing backdoored versions of iOS and Android Web3 wallets in an effort to steal users’ seed phrase.

This previously unreported campaign has been analyzed by digital advertising security company Confiant, which dubbed it SeaFlower. The activity has been described as one of the most technically sophisticated threats targeting users of Web3 wallets.

According to Confiant, the hackers have targeted the iOS and Android versions of applications such as Coinbase Wallet, MetaMask Wallet, TokenPocket, and imToken.

The attackers have not actually compromised these apps. Instead, they have created backdoored versions that keep the wallet’s legitimate functionality while also exfiltrating the user’s seed phrase, which can then be leveraged to steal the victim’s cryptocurrency.

“SeaFlower drastically differs from the other web3 intrusion sets we track, with little to no overlap from the Infrastructure in place, but also from the technical capability and coordination point of view: Reverse engineering iOS and Android apps, modding them, provisioning, and automated deployments,” Confiant explained.

The fake apps have been distributed through websites set up by the attackers. These sites are clones of the app’s legitimate website. Potential victims are lured here via search engine poisoning, with Baidu and other Chinese search engines being targeted.

Fake MetaMask website

In the case of iOS devices, the SeaFlower backdoored apps are installed using provisioning profiles. Confiant has notified Apple about the developer IDs linked to these profiles and the tech giant has revoked the ones identified so far.

The activity is believed to have been carried out by Chinese threat actors due to several reasons, including the use of Chinese names as usernames, source code comments written in Chinese, the abuse of legitimate Chinese search engines and other services, and the use of Chinese infrastructure.

However, the company noted, “There are some notable challenges when it comes to SeaFlower attribution, for example figuring out if the provisioning servers are run by the same group, and also identifying more initial vectors of the attack beside the Chinese search engines. All these are difficult challenges due to the geographical and language barrier aspects.”

Confiant has made available a detailed technical analysis of the SeaFlower backdoor and plans on releasing more information in the upcoming period.

Related: More Fake Cryptocurrency Apps Deliver GMERA Malware to Mac Users

Related: New Mac Malware Combines Open-Source Backdoor and Crypto-Miner

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.