[WARNING] Infamous Chisel (malware) steals crypto wallets data!

[cygan]

the russian malware 'infamous chisel', which specifically targets android mobile phones, is currently circulating and grabbing crypto data from wallets and even exchanges.
IC allows access to infected devices, whose message traffic it monitors and siphons off data at regular intervals. the stolen data also includes information about crypto wallets and exchange accounts. affected are said to be: Binance, Coinbase, PayPal and Trust Wallet.

it's up to each user to decide for themselves whether they want to use their mobile phone to conduct this type of business and install all the stock market apps. personally, i think it's far too dangerous and irresponsible.

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/infamous-chisel/NCSC-MAR-Infamous-Chisel.pdf
https://latesthackingnews.com/2023/09/04/new-infamous-chisel-malware-targets-android-users-in-state-backed-campaign/

please pay attention and be very careful when using the many crypto apps that are available for your mobile phones.

[1714544232]

1714544232

[1714544232]

1714544232

[1714544232]

1714544232

[1714544232]

1714544232

[BitcoinGirl.Club]

please pay attention and be very careful when using the many crypto apps that are available for your mobile phones.

I don't use any mobile wallet.
Some exchanges app are installed on my phone but none of the exchange have even $100 from me.
The email address I use in the mobile is a trough-away address, I don't mind if I receive emails from spammers in this inbox.
But yes the emails that used in the exchanges accounts, are important to me. Although I really do not click links sent by even a known service unless I am expecting a link like verify login, approve withdrawal.

[hopenotlate]

All these increasingly sophisticated attack vectors is what prevents cryptocurrencies  from truly being within the reach of everyone in everyday life. We must always be informed and updated to try to avoid the "arrows" that are thrown at us from all directions.
It is discouraging to approach this rather complex world, invest some savings and then have it blown from under your nose.

[Sim_card]

This attack is only for mobile phone users who have their exchange app in their phones and uses it. This shows that most crypto users uses mobile phones to have access to exchanges more than PC. We need to be very careful, especially those of us that prefer using mobile phones for our transactions since we are the target. It is very bad that scammers are looking for every means to steal from investors causing panic on the people. It is better than to stay away from links that we are not expecting and avoid clicking on them.

[Hispo]

This attack is only for mobile phone users who have their exchange app in their phones and uses it. This shows that most crypto users uses mobile phones to have access to exchanges more than PC. We need to be very careful, especially those of us that prefer using mobile phones for our transactions since we are the target. It is very bad that scammers are looking for every means to steal from investors causing panic on the people. It is better than to stay away from links that we are not expecting and avoid clicking on them.

To be fair, exchanges like Binance have been trying to catch up on the sophistication of this malware attacks, so only the actual owner of the account is able to withdraw Bitcoin off to a personal address. For example, there is 2 factor authentication with physical tokens (which the attacker wont have access to), there is also a feature called "white list"(addresses which the user is allowed to withdraw without going through harder verification), even if the person does not have a physical token to access their money, usually Binance requires three 2FA before approving an on-chain withdrawal: SMS to one's phone number, email confirmation and electronic token.

It would would be quite a hassle for a hacker to get all of it, though I understand it is possible.
The worst case scenario would be getting my satoshis exchanged for shitcoins.

[sheenshane]

Thanks for the heads up.

We shouldn't use apps from unknown sources and this proves that using mobile isn't safe at all when it comes to the crypto wallet or any valuable stuff, it's always prone to malware infection since we usually use our phones daily.

So this could be sent through links right?
As I can see this article it seems there are too many ways you might be affected.

[joniboini]

As I can see this article it seems there are too many ways you might be affected.

At the very least one group distributes this malware using a debugging tool[1], probably by packaging it through some debugging tool for those who are interested on Android debugging. It is also possible that is spread through the Google Play Store as usual since they are terrible at filtering malware apps. Just recently there are fake Telegram and Signal apps being removed because they contain malware[[2]. CMIIW.

[1] https://www.theregister.com/2023/08/31/sandworm_infamous_chisel/
[2] https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/

[Yamane_Keto]

The report is 35 pages long, so I only read part of it, but do these applications need malware to steal your data? Binance, Coinbase, PayPal and Trust Wallet. They are all closed source services, and no one knows the data they collect about you, and the report did not mention an open source wallet.

IC allows access to infected devices, whose message traffic it monitors and siphons off data at regular intervals. the stolen data also includes information about crypto wallets and exchange accounts. affected are said to be: Binance, Coinbase, PayPal and Trust Wallet.

If we assume that there are open source wallets, Android operating system contains features to enhance privacy, although it is better to run a full node on any Linux OS.
according to report information is written to the various files in the /data/local is affected, this means that electrum is not affected.

Code:

• com.brave.browser
• com.opera.browser
• com.paypal.android.p2pmobile
• com.binance.dev
• com.coinbase.android
• com.wallet.crypto.trustapp
• org.mozilla.firefox
• com.whatsapp
• org.telegram.messenger
• org.telegram.messenger.web
• com.discord

[joniboini]

according to report information is written to the various files in the /data/local is affected, this means that electrum is not affected.

Is it possible that the attacker rewrote the code to specifically target Electrum devices, or just expand their attack targets in general? Even if that is not possible, it is still unsafe to keep running your Electrum on an infected devices. Who knows what kind of malware it will download in the future, not to mention they still collect data about you regardless of what wallet you use.

[Yamane_Keto]

Is it possible that the attacker rewrote the code to specifically target Electrum devices, or just expand their attack targets in general? Even if that is not possible, it is still unsafe to keep running your Electrum on an infected devices. Who knows what kind of malware it will download in the future, not to mention they still collect data about you regardless of what wallet you use.

It's all possible but Binance, Coinbase, PayPal and Trust Wallet don't care about customer privacy and I think they will exploit such attacks as evidence that if users' data is leaked, they can easily say that the reason is Infamous Chisel (malware) just as they do with third party applications that share data With them. and you need root privileges to access electrum files.

[UmerIdrees]

the stolen data also includes information about crypto wallets and exchange accounts. affected are said to be: Binance, Coinbase, PayPal and Trust Wallet.

I am not too worried about the exchanges app because no one can log in, until it is authenticated by the 2fa and the same goes for the withdrawals (also i do not keep much funds in the exchanges) but my real concern is in other walllets like Trust wallet. Are you sure the open source wallet like Unstoppable on my andriod phone is not affected and is save?  Also, wallet like Unstoppable does not have a desktop version so the only option to use them is on the Android or iOS device. So what are the tips for using them ?

Also for this malware to get activated, you need to click on any suspicious link and it gets downloaded   Anyone using the phone with care, not clicking unknown links may be safe from this attack ?

[joniboini]

and you need root privileges to access electrum files.

Not sure how root access is being processed if your device is infected with malware. Regardless of whether it is possible or not, using a secure device should be the priority for most users.

Are you sure the open source wallet like Unstoppable on my andriod phone is not affected and is save?  Also, wallet like Unstoppable does not have a desktop version so the only option to use them is on the Android or iOS device. So what are the tips for using them ?

Also for this malware to get activated, you need to click on any suspicious link and it gets downloaded  Anyone using the phone with care, not clicking unknown links may be safe from this attack ?

The best protection is to use a secure device as mentioned above. Whether the malware will target new open-source wallets or not, you should be able to prevent any hack if you don't click on malicious links. For this specific malware, the distribution method is quite unclear based on the news that I've read. Safe to assume it is distributed through similar means like fake app downloads, phishing links, etc. If you use a phone as your main device, then you should focus more on improving your security practices. At the end of the day, you should make sure your device is free from malware etc regardless if you use a crypto wallet or not.

[m2017]

Well, another reason to avoid mobile crypto wallets. Crypto traders rush to buy Apple smartphones. After all, they were not struck by this infection, right.

Modern laptops (netbooks) are compact in size, which allows to work with cryptocurrencies almost anywhere in the world and allow to build a safe line of defense on device. Why use mobile phones to interact with cryptocurrencies when doing so is risky? I also think it's reckless.

[mk4]

Well, another reason to avoid mobile crypto wallets. Crypto traders rush to buy Apple smartphones. After all, they were not struck by this infection, right.

Modern laptops (netbooks) are compact in size, which allows to work with cryptocurrencies almost anywhere in the world and allow to build a safe line of defense on device. Why use mobile phones to interact with cryptocurrencies when doing so is risky? I also think it's reckless.

Simply because of convenience. Mobile wallets aren't necessarily bad despite the risks in the first place. Like, why use your physical pocket wallet knowing that you can risk losing it? Exactly, you use your mobile wallet for smaller amounts of funds so it's easily accessible when on-the-go; if you're fortunate enough to be in a country with bitcoin/crypto-supported payments.

[satscraper]

Well, another reason to avoid mobile crypto wallets. Crypto traders rush to buy Apple smartphones. After all, they were not struck by this infection, right.

Modern laptops (netbooks) are compact in size, which allows to work with cryptocurrencies almost anywhere in the world and allow to build a safe line of defense on device. Why use mobile phones to interact with cryptocurrencies when doing so is risky? I also think it's reckless.

Apple devices are also vulnerable and should not be considered as the secure stronghold of   cryptocurrencies safety. Just a couple of days ago the security experts have found multiple vulnerabilities in Apple products that allows not authorized penetrations into devices and execution of arbitrary codes.

Regarding Android's devices, the list of the latest vulnerabilities found is revealed by Google in its September security bulletin.