A sophisticated attacker known as SeaFlower has been targeting Android and iOS users as part of a massive campaign that imitates cryptocurrency wallet websites to distribute backdoored apps that drain victims’ funds.
An entity believed to be connected with China, as of March 2022, has been targeting Mac users with a group of activities that include mimicking the official cryptocurrency wallet websites.
Alibaba’s Content Delivery Network (CDN) is being abused as part of the attack, which is based on comments in the backdoor code and the source code in the backdoor code as well as the Chinese-speaking entity.
The campaign focuses on modifying Web3 wallets with backdoor code that ultimately exfiltrates seed phrases as of today.
SeaFlower operates by setting up impersonated sites that deliver trojanised versions of wallet apps, which are nearly identical to authentic wallet apps aside from the addition of new code designed to steal the seed phrase from the app’s servers.
In addition, malicious software is intended to infiltrate iOS devices through the addition of sideloading profiles that allow the apps to be installed.
Search engine poisoning tactics on Baidu, Sogou, and other Chinese search engines are used so that the drive-by download pages are prominently featured in search results when users search for terms such as “download MetaMask iOS”.
Despite the release of this information, attackers are concentrating on popular Web3 platforms to exploit sensitive data and defraud users of money.