Connect with us

Hi, what are you looking for?


Mobile & Wireless

Clipper Malware Slips Into Google Play

A piece of Android malware capable of hijacking users’ crypto-currency transactions has slipped into Google Play, ESET security researchers have discovered.

A piece of Android malware capable of hijacking users’ crypto-currency transactions has slipped into Google Play, ESET security researchers have discovered.

Detected as Android/Clipper.C, the malware masquerades as the legitimate service MetaMask. Its main purpose is to steal the victim’s credentials and private keys to take over their Ethereum wallets. It also hijacks funds by replacing Bitcoin and Ethereum wallet addresses on the clipboard. 

Malware capable of performing such attacks is relatively new, but is already an established category, especially on desktop computers. 

Referred to as “clippers,” these threats rely on the fact that addresses of online crypto-currency wallets are long strings of characters that user’s normally copy and paste using the clipboard. Whenr the victim attempts to perform a transaction, the malware intercepts copied crypto-wallet addresses and replaces them with the attacker’s. 

While on desktop PCs running Windows such malware first emerged in 2017, it arrived on Android only in 2018, and has only been found in shady Android app stores, until working its way into Google’s official app store. 

The recently discovered clipper appeared in the Google Play store on February 1, 2019 and was removed immediately after ESET reported it to the Google Play security team.

The intended victims of this malware are users of the mobile version of MetaMask, a service designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. 

Advertisement. Scroll to continue reading.

At the moment, the service only offers only add-ons for desktop browsers such as Chrome and Firefox, but no mobile application, ESET points out.

For some cybercriminals, this appeared as an opportunity to create malicious applications and trick users into believing they are legitimate programs for the service. 

According to ESET, the clipper is only one of the malicious software impersonating MetaMask that was found in Google Play. Previously discovered malware, however, was phishing for sensitive information, attempting to take over the victims’ crypto-currency wallets. 

To stay protected, users are advised to always check the official website of the app developer or service provider for a link to the official app, to make sure they download and install legitimate software. 

Users should also double-check every step in all transactions that involve valuables, regardless of whether sensitive information or money, especially when using the clipboard (in which case, they should make sure the pasted content is the same as the copied one. 

Keeping the Android device updated at all time and installing only software from the Google Play store are also advised. 

Related: ‘TimpDoor’ Malware Turns Android Devices into Proxies

Related: Android Apps Carrying Windows Malware Yanked From Google Play

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.