Android Trojan Replaces Clipboard Data
Experts from Doctor Web have reported the discovery of a new family of mobile malware called Android.Clipper, which targets Android devices by replacing cryptocurrency wallet addresses and payment system account numbers in the clipboard. While such malware is relatively common on Windows, Android users have encountered these threats much less frequently until now.
What Are Clipper Trojans?
Clipper Trojans are malicious programs designed to secretly replace electronic wallet numbers in the clipboard, so that any funds sent are redirected to cybercriminals instead of the intended recipient. In August 2018, Doctor Web’s virus database was updated with two new modifications of the Android.Clipper Trojan: Android.Clipper.1.origin and Android.Clipper.2.origin.
Targeted Payment Systems and Cryptocurrencies
Android.Clipper is capable of replacing wallet numbers in the clipboard for the following payment systems and cryptocurrencies:
- QIWI
- Webmoney R
- Webmoney Z
- Yandex.Money
- Bitcoin
- Monero
- zCash
- DOGE
- DASH
- Ethereum
- Blackcoin
- Litecoin
How the Malware Spreads and Operates
Researchers note that this malware can be distributed under the guise of well-known and harmless applications. For example, the malware may disguise itself as software for managing Bitcoin wallets.
When first launched on an infected device, the Trojan displays a fake error message and continues to run in the background. It does this by changing the access settings of its main activity (clipper.abcchannelmc.ru.clipperreborn.MainActivity), making it inaccessible. As a result, the app icon disappears from the Android home screen, and the malicious program can only be found in the device’s system settings. Both Android.Clipper modifications are set to launch automatically every time the infected smartphone or tablet is turned on.
How the Attack Works
Once the device is infected, the Trojan monitors changes to the clipboard. If it detects that the user has copied an electronic wallet number, it sends this number to its command-and-control server at http://fastfrmt.*****.tech. The Trojan then sends another request to the server, waiting for a response with the cybercriminals’ wallet number, which it then inserts into the clipboard in place of the original.
Distribution and Features
According to Doctor Web, the creator of Android.Clipper actively sells this malware family on hacker forums. Buyers can use any icon and app name for each purchased copy of the malware. In promotional materials, the developer claims that Android.Clipper can send activity reports via Telegram and quickly update the wallet numbers inserted into the clipboard using the FTP protocol.
However, Doctor Web’s report notes that these features are not implemented in the malware itself. Instead, these capabilities are provided to criminals through the command-and-control server.
Future Risks
Researchers believe that in the near future, we can expect a significant increase in the number of Clipper Trojan modifications, which will be distributed under the guise of harmless and useful apps.