New Enchant Android Malware Targeting Chinese Cryptocurrency Users
- A new Android malware called “Enchant” has been discovered that focuses on stealing sensitive information from cryptocurrency wallet applications.
- This malware is distributed through fake adult websites, luring users into downloading malicious APK files.
- Enchant malware uses the Accessibility Service feature to target specific cryptocurrency wallets, including imToken, OKX, Bitpie Wallet, and TokenPocket wallet.
- Its primary objective is to steal critical information such as wallet addresses, mnemonic phrases, wallet asset details, wallet passwords, and private keys from compromised devices.
- The Threat Actor (TA) behind this malware has conducted a detailed analysis of cryptocurrency wallet applications, aiming to identify significant UI elements for stealing sensitive information.
- The malware actively seeks out Chinese strings within the Accessibility node, indicating that this malware targets cryptocurrency users in China.
In the midst of the ongoing digital revolution, cryptocurrencies have risen as a disruptive force in the world of finance, promising financial autonomy, decentralized control, and an alternative to conventional banking systems. However, beneath the surface of this revolutionary technology, a novel and sinister threat has surfaced, one that sets its sights on cryptocurrency wallet applications.
Recently, Cyble Research and Intelligence Labs (CRIL) has uncovered a newly identified Android malware with a clear objective: to steal vital details from crypto wallet applications. This malicious software aims to seize critical information such as Private Keys, Mnemonic Phrases, Wallet Addresses, Wallet Passwords, and Asset particulars, leaving unsuspecting users vulnerable to substantial losses.
We observed that the malware is cunningly propagated through fake adult websites. To date, CRIL has identified two phishing websites, hxxps://xnxnxx[.]top and hxxps://xnxnx[.]cyou masquerading as adult content portals that facilitate the download of this Android malware. Figure 1 and Figure 2 below illustrate these deceptive phishing sites.
When a user clicks on the “Click to download” or “DOWNLOAD APK” button, the phishing website proceeds to initiate the download of a malicious APK from the following URLs: hxxps://xnxnxx[.]top/download/XNXX.apk and hxxps://xnxnx[.]cyou/download/XNXX.apk.
The malicious files that were downloaded exhibit a low detection rate, and after a thorough analysis of the source code, we suspect that it may be a new type of malware. Throughout our analysis, we are referring to it as the “Enchant” malware, owing to the recurring use of a package name in all of the samples.
The malware utilizes the Accessibility Service to steal information associated with cryptocurrency wallets by identifying their User Interface (UI) components. Presently, Enchant malware is focused on targeting four specific cryptocurrency wallets, which are detailed below:
- im.token.app (imToken)
- com.okinc.okex.gp (OKX)
- com.bitpie (Bitpie Wallet)
- vip.mytokenpocket (TokenPocket wallet)
Furthermore, we noticed that the malware scans for specific Chinese text, including phrases like “密码不正确 (Incorrect password)” and “密码不正确 (Import TRX wallet),” within the Accessibility node to pinpoint precise UI elements, as depicted in Figure 4. This suggests that the malware has been crafted with the intention of targeting cryptocurrency users in China.
A detailed analysis of the enchant malware is carried out in the next section.
APK Metadata Information
- App Name: XNXX
- Package Name: pkg.java.xnxx
- SHA256 Hash: c4adaa29e31d0c91b9f1edfc6efe3cb1e62daf9065eb9f17b352f019bdb4bc39
As previously stated, Enchant malware relies on the Accessibility Service. Upon installation, it prompts the victim to grant permission to use the Accessibility Service. Once this permission is granted, the malware begins exploiting the service to carry out malicious operations and obstructs the uninstallation process.
Furthermore, in the background, the malware establishes a connection to the URL hxxps://bat[.]xnxnxx.top/api/v6/get_upgrade_url?package_name=pkg.java.xnxx&version_name=5.0.9&version_code=59. This URL sends an additional download link for an APK upgrade. However, during our analysis, we did not observe the malware actually updating the package.
Once the Accessibility Service is granted, malware transmits data about non-system applications, including their names, package names, and device information, to the Command and Control (C&C) server at hxxps://bat[.]xnxnxx.top/api/v6/send_device_apps.php.
The moment the victim begins using the compromised device after enabling the Accessibility Service, the malware starts transmitting Accessibility event logs. These event logs enable the TA to discover not only the specific component the victim is interacting with but also the actions being performed by the victim and the keystrokes.
Targeting Cryptocurrency Wallets
Much like the above functionality, the malware has exploited the Accessibility service to locate the UI elements of the targeted application and attempted to exfiltrate sensitive wallet-related information. This includes the mnemonic phrase, wallet address, wallet asset details, wallet password, and private key. The malware employs the following endpoints to transmit the stolen wallet information.
|Endpoint||Wallet Information type|
|/ send_wallet_address||sends wallet address|
|/ send_wallet_assets||sends wallet asset-related information|
|/ send_wallet_mnemonics||sends Mnemonic phrase|
|/ send_wallet_password||sends wallet password|
|/ send_wallet_private_key||sends wallet private key|
Fetching Wallet Address
To fetch the wallet address, malware locates the UI element associated with transaction details where the user is required to enter their wallet address. In the case of the TokenPocket wallet, the malware is searching for an element with the resource identifier “vip.mytokenpocket:id/tv_from” to extract the wallet address.
The identifier “vip.mytokenpocket:id/tv_from” can be found in numerous XML files within the TokenPocket wallet app, primarily associated with transactions where the user’s wallet address is shown to the user.
The malware transmits the gathered wallet address, as well as the target application’s package name and device information, to the C&C server at hxxps://bat[.]xnxnxx.top/api/v6/send_wallet_address.
Mnemonic Phrase Extraction
A mnemonic phrase is a series of words used to create and recover a cryptographic wallet. It’s also known as a “seed phrase” or “recovery phrase.” This phrase typically consists of 12, 18, 24, or more words (most commonly 12 or 24) and serves as a human-readable representation of the private key.
The malware searches for the UI element identified by the resource ID “et_mnemonic” to capture the mnemonic phrase. Subsequently, it transmits the obtained mnemonic phrase to the C&C server at hxxps://bat[.]xnxnxx.top/api/v6/send_wallet_mnemonics.
Stealing Wallet Asset Details
Cryptocurrency wallets enable users to store digital assets, commonly known as cryptocurrencies. These assets encompass a wide range of digital currencies, including but not limited to Bitcoin, Ethereum, Litecoin, Ripple, and various others. Wallet assets signify the ownership and the specific balance of a particular cryptocurrency that a user maintains within their wallet.
Regarding the TokenPocket wallet, the malware identifies the element associated with assets by utilizing the resource identifier “vip.mytokenpocket:id/rv_asset.” Subsequently, it parses the name and quantity of these assets using other resource identifiers and proceeds to transmit this pilfered information to the server, as shown in the figure below.
Stealing Private Key And Wallet Password
The private key is a secret, confidential, and unique string of characters that serves as the core element in various cryptographic processes and is used to control and access wallet assets, sign transactions, and prove ownership.
In the case of the TokenPocket wallet, the malware doesn’t include the code to steal private keys. However, this functionality is implemented for imToken and OKX wallets. The following figure depicts the code used to pilfer the private key of the imToken wallet. It searches for the “PrivateKeyString” resource identifier on the active window and then transmits the stolen data to the C&C server.
Similarly, the malware extracts passwords from the targeted application by identifying the relevant UI elements. It then sends this stolen data to the C&C server at hxxps://bat[.]xnxnxx.top/api/v6/send_wallet_password.
The analysis suggests that the TA responsible for this malware has conducted a thorough examination and attempted to scrutinize the targeted cryptocurrency wallet application. They aimed to pinpoint the significant UI elements and subsequently incorporated functionalities to steal this sensitive information.
In recent years, we’ve witnessed a surge in threats targeting cryptocurrency wallets, ranging from mass phishing attempts to malware attacks. Among these threats, a previously undetected malware named “Enchant” has emerged, taking advantage of the Accessibility Service feature on Android devices to target cryptocurrency wallets.
The analysis of this malicious software reveals a concerted effort to understand the inner workings of cryptocurrency wallet applications, allowing the TA to pinpoint the specific elements needed to steal sensitive information. These persistent efforts by TAs involve in-depth studies of targeted applications, enabling them to create trojanized apps or exploit UI elements effectively.
The primary objective of this malware is to pilfer critical information, including private keys, mnemonic phrases, wallet addresses, wallet passwords, and assets. With these stolen details, TAs gain unauthorized access to victims’ wallets and can carry out fraudulent transactions, potentially resulting in significant financial losses for the victims. This discovery underscores the crucial need for robust security measures when dealing with cryptocurrency and highlights the importance of staying vigilant in the face of evolving digital threats.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
|Impair Defenses (T1629.001)||Enchant prevents uninstallation|
|Discovery (TA0032)||Software Discovery (T1418.001)||Malware steals installed application list|
|Collection (TA0035)||Input Capture: Keylogging (T1417.001)||Uses keylogging to steal credentials|
|Command and Control (TA0037)||Application Layer Protocol: Web Protocols (T1437.001)||Communicated with C&C server using HTTP|
|Exfiltration (TA0036)||Exfiltration Over C2 Channel (T1646)||Sending exfiltrated data over C&C server|
Indicators of Compromise (IOCs)
|c4adaa29e31d0c91b9f1edfc6efe3cb1e62daf9065eb9f17b352f019bdb4bc39 deb91020b411a453ea7831e63eec03acf429e0ed cc2ec00fe8e7e8cbe0889a04256093b9||SHA256 SHA1 MD5||Hash of analyzed APK|
|hxxps://xnxnxx[.]top/||URL||Website hosting malware|
|SHA256 SHA1 MD5||Enchant malware hash|
|hxxps://xnxnx[.]cyou||URL||Website hosting malware|