Seems like the best protection is still security awareness. How easy it is for people to fall victim for this if they think any apps on Play Store is legit and checked by Google (did you, Google?).
But I wonder why the attacker use the clipper though, why not take the private key directly? I believe some users will enter their private key if they want to import their wallet to this app.
The Private key is never exposed when you transfer funds from your address to the next. This attack is centered around the replacement of any destination address with the hackers Bitcoin address. So you might Copy the receivers address into the clipboard and then the hacker replace that address with his or her own Bitcoin address when you Paste it and hopefully you will not notice it and just click send.
The
Clipboard hijacking method is quite common these days, so you must always verify the receivers address, after you pasted it from the clipboard/memory.
They use different methods to hijack the clipboard and apps on Google Play is just one of them.