The malware, which replaces computer clipboard information in an attempt to steal cryptocurrency, was removed by Google at the beginning of the month after a tipoff from Eset researchers.
Known as a “Clipper,” the malware replaces copied cryptocurrency wallet addresses with an address belonging to an attacker in the hope that funds will be sent elsewhere without the user noticing.
The discovery marked the first time such malware had made it past Google’s vetting procedures, the security firm notes.
“The clipper we found lurking in the Google Play store, detected by ESET security solutions as Android/Clipper.C, impersonates a legitimate service called MetaMask,” Eset explained, continuing:
“The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds. However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker.”
MetaMask, which is one of the oldest Ethereum (ETH)-based DApps, has fallen victim to malicious schemes before.
In July last year, Google developers pulled the app from Google Play altogether, leaving only fake impersonations. A subsequent report from MetaMask revealed the action had occurred by mistake.
In November, MetaMask confirmed its plans to launch a mobile app, which ended up being the target of the latest malware issue.