Hackers are using Web3 backdoor wallets to steal seed phrases from iOS/Android users



A Chinese-speaking, technically proficient threat actor distributes backdoor applications to extort cash from victims in a newly discovered large-scale operation.

Trusted security researchers have shared details of a large-scale operation launched by a technologically advanced, sophisticated threat actor. The actor distributes backdoor applications through fake versions of authentic cryptocurrency wallet websites to withdraw funds. The activity cluster, dubbed SeaFlower, is reportedly targeting iOS and Android users.

The Confident researchers noted that Trojanized cryptocurrency apps are very similar to their real versions. However, they contain a backdoor that can steal a user’s security step, allowing attackers to access their digital assets.

attack method

The SeaFlower operation leverages website cloning, SEO poisoning, and black SEO techniques to distribute Trojanized apps to a wide range of users. Targeted applications include the iOS and Android versions of MetaMask, Coinbase Wallet, ImToken and TokenPocket.

These apps are distributed through Chinese search engines such as Sogou and Baidu. The search terms have been rigged, so when someone searches for Download Metamask iOS, the drive-by download page results appear at the top of the first page.

Unsuspecting users stumble upon suspicious sites, which act as a conduit to entice victims to download Trojanized versions of the Wallet app. These apps have been modified to look similar to the original versions but have additional code to extract the seed phrase and send to remote domains.



Attackers can promote backdoor apps and use malware on social media platforms and forums, but the major distribution channel is search engines.

seaflower purpose

According to a blog post by Taha Karim of Confident, the main objective behind this campaign appears to be to modify the Web3 wallet with backdoor code to take out the seed phrase. SeaFlower operators have also engineered the activity to target iOS users through provisioning profiles to enable apps for sideloading on the device.

For your information, provisioning profiles help to connect tools and developers to an unprivileged development team. In this way, the tools can be used to test app code and add malicious apps to the devices.

Chinese connection

Analysis of source code comments, macOS usernames, and the involvement of Alibaba’s CDN (content delivery network) in backdoor coding ties this campaign with a yet-to-be-revealed Chinese-speaking organization.

The researchers claim they discovered the campaign in March 2022 and refer to SeaFlower as “the most technologically sophisticated threat targeting Web3 users, right after the infamous Lazarus group.”

Why sea flowers?

As to why the Confident researchers dubbed Seaflower Activity, they noted that one of the .dylib files injected into the Trojanized MetaMask app’s Mach-O leaked a macOS username named “zhang heik”. When he Googled the term, several Chinese language references came up, one of which was a character in the Chinese novel “Tibetan Sea Flower”.

security measures

Chinese hackers have always been known to be dangerous and highly sophisticated. It may be because of the unlimited resources supported by the government or they are good at it. Nevertheless, downloading apps and software from third-party markets should be strictly avoided.

Always download mobile apps from official stores: Apple Appstore and Play Store. Never install or accept random provisioning profiles on your iPhone, as you saw in this blog post, they allow the download of unverified software that could potentially steal your crypto.

Taha Karim – Confidant

More Chinese Hackers in the News

  1. Iranian and Chinese state hackers exploiting Log4j vulnerability
  2. Russian-language hacking forums are heating up to Chinese hackers
  3. Chinese APT Group FoundCore RAT . is spying on the vietnam army with
  4. Microsoft disrupts the activities of Chinese hackers by seizing 42 websites
  5. Unofficial micropatch for Follina released as exploit of Chinese hackers 0-day

Source



Related News

The long arc of WaPo revenue leans towards SaaS; Google Comes With More Chaos

Here's today's AdExchanger.com news round-up... Want to email? Register here.

Obi-Wan Kenobi: what will be the future of Darth Vader?

His return in Obi-Wan Kenobi did not fully garner the satisfaction of Star Wars fans, but see on screen Darth Vader however, it remains a moment of great

Internet Explorer Ends 26 Years of Operation as Top Browser to Install Other Browsers

Time comes for all of us. It's a lesson Microsoft is learning the hard way, as its once dominant browser is finally there. eventually - not anymore. Never

Need a Passive Income Stream? Here are 7 ways to make money online

If You Want to Make Money Fast, You Might Consider / Getty Images

The long arc of WaPo revenue leans towards SaaS; Google Comes With More Chaos

Here's today's AdExchanger.com news round-up... Want to email? Register here.

Over 500 € discount for this 75 ″ LG 4K smart TV!

If you are looking for a smart TV large, performing and with an unbeatable price, we advise you to take a look at the LG LED 4K 75 ″ model discounted by