Connect with us

Hi, what are you looking for?


Application Security

Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in ‘SeaFlower’ Campaign

Cybercriminals likely operating out of China are distributing backdoored versions of iOS and Android Web3 wallets in an effort to steal users’ seed phrase.

Cybercriminals likely operating out of China are distributing backdoored versions of iOS and Android Web3 wallets in an effort to steal users’ seed phrase.

This previously unreported campaign has been analyzed by digital advertising security company Confiant, which dubbed it SeaFlower. The activity has been described as one of the most technically sophisticated threats targeting users of Web3 wallets.

According to Confiant, the hackers have targeted the iOS and Android versions of applications such as Coinbase Wallet, MetaMask Wallet, TokenPocket, and imToken.

The attackers have not actually compromised these apps. Instead, they have created backdoored versions that keep the wallet’s legitimate functionality while also exfiltrating the user’s seed phrase, which can then be leveraged to steal the victim’s cryptocurrency.

“SeaFlower drastically differs from the other web3 intrusion sets we track, with little to no overlap from the Infrastructure in place, but also from the technical capability and coordination point of view: Reverse engineering iOS and Android apps, modding them, provisioning, and automated deployments,” Confiant explained.

The fake apps have been distributed through websites set up by the attackers. These sites are clones of the app’s legitimate website. Potential victims are lured here via search engine poisoning, with Baidu and other Chinese search engines being targeted.

Fake MetaMask website

In the case of iOS devices, the SeaFlower backdoored apps are installed using provisioning profiles. Confiant has notified Apple about the developer IDs linked to these profiles and the tech giant has revoked the ones identified so far.

Advertisement. Scroll to continue reading.

The activity is believed to have been carried out by Chinese threat actors due to several reasons, including the use of Chinese names as usernames, source code comments written in Chinese, the abuse of legitimate Chinese search engines and other services, and the use of Chinese infrastructure.

However, the company noted, “There are some notable challenges when it comes to SeaFlower attribution, for example figuring out if the provisioning servers are run by the same group, and also identifying more initial vectors of the attack beside the Chinese search engines. All these are difficult challenges due to the geographical and language barrier aspects.”

Confiant has made available a detailed technical analysis of the SeaFlower backdoor and plans on releasing more information in the upcoming period.

Related: More Fake Cryptocurrency Apps Deliver GMERA Malware to Mac Users

Related: New Mac Malware Combines Open-Source Backdoor and Crypto-Miner

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.