Cybercriminals likely operating out of China are distributing backdoored versions of iOS and Android Web3 wallets in an effort to steal users’ seed phrase.
This previously unreported campaign has been analyzed by digital advertising security company Confiant, which dubbed it SeaFlower. The activity has been described as one of the most technically sophisticated threats targeting users of Web3 wallets.
According to Confiant, the hackers have targeted the iOS and Android versions of applications such as Coinbase Wallet, MetaMask Wallet, TokenPocket, and imToken.
The attackers have not actually compromised these apps. Instead, they have created backdoored versions that keep the wallet’s legitimate functionality while also exfiltrating the user’s seed phrase, which can then be leveraged to steal the victim’s cryptocurrency.
“SeaFlower drastically differs from the other web3 intrusion sets we track, with little to no overlap from the Infrastructure in place, but also from the technical capability and coordination point of view: Reverse engineering iOS and Android apps, modding them, provisioning, and automated deployments,” Confiant explained.
The fake apps have been distributed through websites set up by the attackers. These sites are clones of the app’s legitimate website. Potential victims are lured here via search engine poisoning, with Baidu and other Chinese search engines being targeted.
In the case of iOS devices, the SeaFlower backdoored apps are installed using provisioning profiles. Confiant has notified Apple about the developer IDs linked to these profiles and the tech giant has revoked the ones identified so far.
The activity is believed to have been carried out by Chinese threat actors due to several reasons, including the use of Chinese names as usernames, source code comments written in Chinese, the abuse of legitimate Chinese search engines and other services, and the use of Chinese infrastructure.
However, the company noted, “There are some notable challenges when it comes to SeaFlower attribution, for example figuring out if the provisioning servers are run by the same group, and also identifying more initial vectors of the attack beside the Chinese search engines. All these are difficult challenges due to the geographical and language barrier aspects.”
Confiant has made available a detailed technical analysis of the SeaFlower backdoor and plans on releasing more information in the upcoming period.