"Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in 'SeaFlower' Campaign"
Security researchers at Confiant have discovered that cybercriminals likely operating out of China are distributing backdoored versions of iOS and Android Web3 wallets in an effort to steal users’ seed phrase. According to the researchers, the hackers have targeted the iOS and Android versions of applications such as Coinbase Wallet, MetaMask Wallet, TokenPocket, and imToken. The researchers noted that the attackers have not actually compromised these apps. Instead, they have created backdoored versions that keep the wallet’s legitimate functionality while also exfiltrating the user’s seed phrase, which can then be leveraged to steal the victim’s cryptocurrency. The researchers stated that SeaFlower drastically differs from the other web3 intrusion sets they track, with little to no overlap from the infrastructure in place, but also from the technical capability and coordination point of view: reverse engineering iOS and Android apps, modding them, provisioning, and automated deployments. The researchers noted that the fake apps have been distributed through websites set up by the attackers. These sites are clones of the app’s legitimate website. The researchers stated that potential victims are lured here via search engine poisoning, with Baidu and other Chinese search engines being targeted. In the case of iOS devices, the SeaFlower backdoored apps are installed using provisioning profiles. The researchers have notified Apple about the developer IDs linked to these profiles, and the tech giant has revoked the ones identified so far.