A new form of cryptocurrency-stealing malware has been identified in the Google Play store. Dubbed ‘clipper’ malware, it was discovered inside an app impersonating MetaMask—a full browser extension which allows Ethereum-based apps to run on a browser without running a full Ethereum node.

Clipper malware works by taking advantage of the copy-paste feature. Crypto apps are especially vulnerable because they require that users input long and complicated cryptocurrency addresses. The malware then monitors the clipboard of the infected system and identifies values that look like a wallet address.

Once identified, the malware swaps the victim’s address for the hacker’s address. If the victim completes the transaction without noticing the change, the crypto gets deposited in the attacker’s account instead.

First reported on WeLiveSecurity, This malicious app was discovered by cybersecurity company ESET and is the first known app of its kind to pass Google’s vetting procedures.

Malware and other software targeted at cryptocurrency users has become increasingly prevalent because of the ease of monetary gain via stealing crypto, especially when compared to other methods such as data ransom and identity fraud which tend to be more labor intensive

There has been much discussion about what has now been dubbed as ‘crypto-jacking’ which is coin mining that is done using the computing power of other people’s machines. This form of hacking hit mainstream media when it was discovered on popular torrent site The Pirate Bay, which was using a web browser miner called CoinHive.

Another crypto-jacking attack is performed via email, where a user is phished and malicious mining software is installed on the victim’s computer.

However, this brings up a question of ethics, as there are some who have expressed that they would permit cryptocurrency mining in this manner, in exchange for web services such as The Pirate Bay, if they were notified about it.

A study conducted in late 2017 showed just how quickly crypto-jacking rose to prominence:

“Coin miners made up 24 percent of all web attacks blocked in December 2017, and 16 percent of web attacks blocked in the last three months of 2017, demonstrating the big impact of these browser-based coin miners,” the report from Symantec read.