Android Clipboard Hijacking Crypto Malware


Systems Affected

Android Devices

Threat Level



Malware described as a "Clipper", pretend to be a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet address which is copied into the android clipboard (Where copied text is located on android applications) with one belonging to the attackers.


This clipper malware steal user's cryptocurrency. In order to do this, users will be tricked by attackers into installing the malicious app that impersonated a legitimate cryptocurrency service known as MetaMask.
MetaMask is accessible only as an internet browser expansion for Chrome, Firefox, Opera, or Brave, and isn't yet propelled on any portable application stores.
However, there is a malicious MetaMask app on Play Store targeting users who want to use the mobile version of the service by changing their legitimate cryptocurrency wallet address to the hacker's own address via the clipboard.
As a result, users who intended to transfer funds into a cryptocurrency wallet of their choice would instead make a deposit into the attacker's wallet address pasted by the malicious app.


  ✦  Steal cryptocurrency from your wallet using android clipboard.
  ✦  Financial losses incurred to loosing cryptocurrency.

Solution/ Workarounds

  ✦  Read and verify the apps before installing them from Play Store.
  ✦  Use official Play Store when downloading apps.
  ✦  When copy and paste a wallet address go through every character and make sure it is the intended wallet address which needs to send cryptocurrency.
  ✦  Remove unwanted application installed to android devices.
  ✦  Uninstall MetaMask application if its running on any android devices.
  ✦  Keep android device updated and use a suitable mobile security solution.



The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.