(Hong Kong, 21 June 2022) Overseas researchers have noticed that a series of malicious activities have been targeting users of crypto wallet app of Android and iOS mobile devices since March 2022. The malicious activities originate from the threat actor known as SeaFlower (藏海花).
SeaFlower would first set up a fraudulent website cloned from a legitimate one. Then, it would leverage Search Engine Optimisation (SEO) to improve the search engine ranking of the fraudulent website, so as to lure the users to download the fake crypto wallet app with malicious code injected, thereby intercepting the crypto wallet seed phrase and transferring the user’s cryptocurrency. As the fake crypto wallet app is almost identical to the legitimate app, it is very difficult to separate them with the naked eye.
In addition, the fake crypto wallet app does not change the function of the original app. Instead, it would inject malicious code to steal wallet seed phrase, wallet address and account balance. The fake crypto wallet app can work as normally as the legitimate crypto wallet app except it can steal data.
As the local information security expert, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) of the Hong Kong Productivity Council would like to remind the public to avoid opening any suspicious URLs. Also, before downloading and installing mobile apps, please verify the source and only download them from the Official App Store. In addition, always keep the mobile apps (e.g. OS, browser and anti-virus software, etc.) up to date.