New Enchant Android Malware Targeting Chinese Cryptocurrency Users

Key Takeaways

  • A new Android malware called “Enchant” has been discovered that focuses on stealing sensitive information from cryptocurrency wallet applications.
  • This malware is distributed through fake adult websites, luring users into downloading malicious APK files.
  • Enchant malware uses the Accessibility Service feature to target specific cryptocurrency wallets, including imToken, OKX, Bitpie Wallet, and TokenPocket wallet.
  • Its primary objective is to steal critical information such as wallet addresses, mnemonic phrases, wallet asset details, wallet passwords, and private keys from compromised devices.
  • The Threat Actor (TA) behind this malware has conducted a detailed analysis of cryptocurrency wallet applications, aiming to identify significant UI elements for stealing sensitive information.
  • The malware actively seeks out Chinese strings within the Accessibility node, indicating that this malware targets cryptocurrency users in China.


In the midst of the ongoing digital revolution, cryptocurrencies have risen as a disruptive force in the world of finance, promising financial autonomy, decentralized control, and an alternative to conventional banking systems. However, beneath the surface of this revolutionary technology, a novel and sinister threat has surfaced, one that sets its sights on cryptocurrency wallet applications.

Recently, Cyble Research and Intelligence Labs (CRIL) has uncovered a newly identified Android malware with a clear objective: to steal vital details from crypto wallet applications. This malicious software aims to seize critical information such as Private Keys, Mnemonic Phrases, Wallet Addresses, Wallet Passwords, and Asset particulars, leaving unsuspecting users vulnerable to substantial losses.

We observed that the malware is cunningly propagated through fake adult websites. To date, CRIL has identified two phishing websites, hxxps://xnxnxx[.]top and hxxps://xnxnx[.]cyou masquerading as adult content portals that facilitate the download of this Android malware. Figure 1 and Figure 2 below illustrate these deceptive phishing sites.

Malware distribution via a fake adult site
Figure 1 – Malware distribution via a fake adult site

Another phishing site distributing malware
Figure 2 – Another phishing site distributing malware

When a user clicks on the “Click to download” or “DOWNLOAD APK” button, the phishing website proceeds to initiate the download of a malicious APK from the following URLs: hxxps://xnxnxx[.]top/download/XNXX.apk and hxxps://xnxnx[.]cyou/download/XNXX.apk.

The malicious files that were downloaded exhibit a low detection rate, and after a thorough analysis of the source code, we suspect that it may be a new type of malware. Throughout our analysis, we are referring to it as the “Enchant” malware, owing to the recurring use of a package name in all of the samples.

 Enchant malware samples with low detection
Figure 3 – Enchant malware samples with low detection

The malware utilizes the Accessibility Service to steal information associated with cryptocurrency wallets by identifying their User Interface (UI) components. Presently, Enchant malware is focused on targeting four specific cryptocurrency wallets, which are detailed below:

  • (imToken)
  • (OKX)
  • com.bitpie (Bitpie Wallet)
  • vip.mytokenpocket (TokenPocket wallet)

Furthermore, we noticed that the malware scans for specific Chinese text, including phrases like “密码不正确 (Incorrect password)” and “密码不正确 (Import TRX wallet),” within the Accessibility node to pinpoint precise UI elements, as depicted in Figure 4. This suggests that the malware has been crafted with the intention of targeting cryptocurrency users in China.

Malware checking Chinese strings in the Accessibility node information
Figure 4 – Malware checking Chinese strings in the Accessibility node information

A detailed analysis of the enchant malware is carried out in the next section.

Technical Analysis

APK Metadata Information 

  • App Name: XNXX
  • Package Name:
  • SHA256 Hash: c4adaa29e31d0c91b9f1edfc6efe3cb1e62daf9065eb9f17b352f019bdb4bc39
Application metadata information
Figure 5 – Application metadata information

As previously stated, Enchant malware relies on the Accessibility Service. Upon installation, it prompts the victim to grant permission to use the Accessibility Service. Once this permission is granted, the malware begins exploiting the service to carry out malicious operations and obstructs the uninstallation process.

Malware prompting to enable Accessibility Service
Figure 6 – Malware prompting to enable Accessibility Service

Furthermore, in the background, the malware establishes a connection to the URL hxxps://bat[.] This URL sends an additional download link for an APK upgrade. However, during our analysis, we did not observe the malware actually updating the package.

Malware receiving upgrade APK URL
Figure 7 – Malware receiving upgrade APK URL

Once the Accessibility Service is granted, malware transmits data about non-system applications, including their names, package names, and device information, to the Command and Control (C&C) server at hxxps://bat[.]

Sending installed application list
Figure 8 – Sending installed application list

The moment the victim begins using the compromised device after enabling the Accessibility Service, the malware starts transmitting Accessibility event logs. These event logs enable the TA to discover not only the specific component the victim is interacting with but also the actions being performed by the victim and the keystrokes.

Sending Accessibility event logs
Figure 9 – Sending Accessibility event logs

Targeting Cryptocurrency Wallets

Much like the above functionality, the malware has exploited the Accessibility service to locate the UI elements of the targeted application and attempted to exfiltrate sensitive wallet-related information. This includes the mnemonic phrase, wallet address, wallet asset details, wallet password, and private key. The malware employs the following endpoints to transmit the stolen wallet information.

EndpointWallet Information type
/ send_wallet_addresssends wallet address
/ send_wallet_assetssends wallet asset-related information
/ send_wallet_mnemonicssends Mnemonic phrase
/ send_wallet_passwordsends wallet password
/ send_wallet_private_keysends wallet private key

Fetching Wallet Address

To fetch the wallet address, malware locates the UI element associated with transaction details where the user is required to enter their wallet address. In the case of the TokenPocket wallet, the malware is searching for an element with the resource identifier “vip.mytokenpocket:id/tv_from” to extract the wallet address.

The identifier “vip.mytokenpocket:id/tv_from” can be found in numerous XML files within the TokenPocket wallet app, primarily associated with transactions where the user’s wallet address is shown to the user.

TokenPocket XML files contains identifier
Figure 10 – TokenPocket XML files contains identifier

The malware transmits the gathered wallet address, as well as the target application’s package name and device information, to the C&C server at hxxps://bat[.]

Sending victim's wallet address
Figure 11 – Sending victim’s wallet address

Mnemonic Phrase Extraction

A mnemonic phrase is a series of words used to create and recover a cryptographic wallet. It’s also known as a “seed phrase” or “recovery phrase.” This phrase typically consists of 12, 18, 24, or more words (most commonly 12 or 24) and serves as a human-readable representation of the private key.

The malware searches for the UI element identified by the resource ID “et_mnemonic” to capture the mnemonic phrase. Subsequently, it transmits the obtained mnemonic phrase to the C&C server at hxxps://bat[.]

Sending Mnemonic phrase
Figure 12 – Sending Mnemonic phrase

Stealing Wallet Asset Details

Cryptocurrency wallets enable users to store digital assets, commonly known as cryptocurrencies. These assets encompass a wide range of digital currencies, including but not limited to Bitcoin, Ethereum, Litecoin, Ripple, and various others. Wallet assets signify the ownership and the specific balance of a particular cryptocurrency that a user maintains within their wallet.

Regarding the TokenPocket wallet, the malware identifies the element associated with assets by utilizing the resource identifier “vip.mytokenpocket:id/rv_asset.” Subsequently, it parses the name and quantity of these assets using other resource identifiers and proceeds to transmit this pilfered information to the server, as shown in the figure below.

Malware stealing wallet asset details
Figure 13 – Malware stealing wallet asset details

Stealing Private Key And Wallet Password

The private key is a secret, confidential, and unique string of characters that serves as the core element in various cryptographic processes and is used to control and access wallet assets, sign transactions, and prove ownership.

In the case of the TokenPocket wallet, the malware doesn’t include the code to steal private keys. However, this functionality is implemented for imToken and OKX wallets. The following figure depicts the code used to pilfer the private key of the imToken wallet. It searches for the “PrivateKeyString” resource identifier on the active window and then transmits the stolen data to the C&C server.

Stealing private key
Figure 14 – Stealing private key

Similarly, the malware extracts passwords from the targeted application by identifying the relevant UI elements. It then sends this stolen data to the C&C server at hxxps://bat[.]

Malware stealing wallet passwords
Figure 15 – Malware stealing wallet passwords

The analysis suggests that the TA responsible for this malware has conducted a thorough examination and attempted to scrutinize the targeted cryptocurrency wallet application. They aimed to pinpoint the significant UI elements and subsequently incorporated functionalities to steal this sensitive information.


In recent years, we’ve witnessed a surge in threats targeting cryptocurrency wallets, ranging from mass phishing attempts to malware attacks. Among these threats, a previously undetected malware named “Enchant” has emerged, taking advantage of the Accessibility Service feature on Android devices to target cryptocurrency wallets.

The analysis of this malicious software reveals a concerted effort to understand the inner workings of cryptocurrency wallet applications, allowing the TA to pinpoint the specific elements needed to steal sensitive information. These persistent efforts by TAs involve in-depth studies of targeted applications, enabling them to create trojanized apps or exploit UI elements effectively.

The primary objective of this malware is to pilfer critical information, including private keys, mnemonic phrases, wallet addresses, wallet passwords, and assets. With these stolen details, TAs gain unauthorized access to victims’ wallets and can carry out fraudulent transactions, potentially resulting in significant financial losses for the victims. This discovery underscores the crucial need for robust security measures when dealing with cryptocurrency and highlights the importance of staying vigilant in the face of evolving digital threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated.
See Cyble Vision in Action

MITRE ATT&CK® Techniques

TacticTechnique IDProcedure
Defense Evasion
Impair Defenses (T1629.001)Enchant prevents uninstallation
Discovery (TA0032)Software Discovery (T1418.001)Malware steals installed application list
Collection (TA0035)Input Capture: Keylogging (T1417.001)Uses keylogging to steal  credentials
Command and Control (TA0037)Application Layer Protocol: Web Protocols (T1437.001)Communicated with C&C server using HTTP
Exfiltration (TA0036)Exfiltration Over C2 Channel (T1646)Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
c4adaa29e31d0c91b9f1edfc6efe3cb1e62daf9065eb9f17b352f019bdb4bc39 deb91020b411a453ea7831e63eec03acf429e0ed cc2ec00fe8e7e8cbe0889a04256093b9SHA256 SHA1 MD5Hash of analyzed APK
hxxps://xnxnxx[.]top/URLWebsite hosting malware
hxxps://bat[.] server
SHA256 SHA1 MD5Enchant malware hash
hxxps://xnxnx[.]cyouURLWebsite hosting malware

Scroll to Top