In operation involving digital currency and cryptocurrency, the Windows Trojan
virus that can be used to replace the e-wallet address in the clipboard is widespread. In the past two years, both ordinary computer users and information security experts have become more familiar with this Trojan. But there is the fact that it is rare compared to Android Trojans with similar functions.
Virus analysts from the Russian antivirus vendor Doctor Web have recently brought us a surprise, and earlier this month they discovered a malicious program with similar features designed for the Android mobile platform. The Android Trojan is named “Clipper” and can replace the Wallet address in the clipboard to send funds to cybercriminals instead of the wallet owner.
Doctor Web’s virus analyst said that two variants had been added to their virus database: Android.Clipper.1.origin
. These two malicious programs pose a serious threat to Android users, especially for cryptocurrency investors.
The Clipper Trojan can replace QIWI, WebMoney (R and Z) and Yandex’s e-wallet address. In addition to these payment systems, the Clipper Trojan can also replace cryptocurrency wallet addresses such as Bitcoin, Monero, Zcash, DOGE, Dash, Etherium, Blackcoin and Litecoin. The application bundled with the Trojan disguised as a Bitcoin digital wallet application, as shown below:
Once the malicious application is opened, it will display a fake error message and exit, then run silently in the background. Malicious apps hide their icons in the list of apps on the Android home screen, which is hard to find without careful viewing. The Clipper Trojan then launches itself each time you open an infected smartphone or tablet.
The Clipper Trojan monitors changes to the clipboard content at any time. Once the user copies the wallet address to the clipboard, it sends the address to the command and control server controlled by the cybercriminals. Then, get the cybercriminal’s wallet address from the server and use it to replace the address in the clipboard.
The Clipper Trojan developer is currently actively advertising the hacking forum for the sale of this Android Trojan. From the advertisements it publishes, buyers are free to use the icon and name of an application for a copy of the malicious application they purchased. As a result, Virus Web analysts at Doctor Web expect this Android Trojan to appear in large numbers in the name of more legitimate applications shortly.