“SeedSnatcher” Android Malware Targets Crypto Users, Using Overlay Phishing and BIP 39 Validation to Steal Seed Phrases
Do Son 
A dangerous new Android malware campaign dubbed “SeedSnatcher” is actively targeting cryptocurrency users by masquerading as a legitimate wallet app named “Coin.” Analysis from Cyfirma reveals that the malware, identified by the package name com.pureabuladon.auxes, employs sophisticated techniques to steal wallet seed phrases and personal data.
Distributed primarily through Telegram and social channels, the malware lures victims into installing a fake application. Once installed, it uses a WebView to load a legitimate-looking interface from m.weibo.com, effectively hiding its malicious nature behind a trusted domain.
However, beneath the surface, SeedSnatcher is a powerful surveillance tool. “The malware features device profiling, data exfiltration, command execution, and targeted phishing of cryptocurrency wallets,” the report states.
The malware’s primary goal is financial theft. It can launch fake overlay screens that mimic popular wallets like MetaMask, Trust Wallet, and Coinbase. When a user attempts to “recover” their wallet on these fake screens, the malware captures their seed phrase. To ensure accuracy, it even “loads the full BIP 39 wordlist from the app’s assets to validate every mnemonic word the victim enters”.
Beyond crypto theft, SeedSnatcher grants attackers near-total control over the device. It can:
- Intercept SMS: Capturing OTPs for 2FA bypass.
- Harvest Contacts & Call Logs: Uploading full address books to the attacker.
- Execute Remote Commands: Using integer-based codes (e.g., 2100 for device info, 2304 for calls) to trigger actions without alerting the user.
Evidence points to a highly organized, financially motivated group behind the campaign. The malware includes “affiliate-based distribution tracking,” where unique agent codes are embedded in download URLs. This allows the operators to “identify which team member drove each installation,” suggesting a “coordinated, multi-affiliate distribution model”.
Linguistic artifacts found in the operator interface—such as Chinese language usage—strongly suggest a China-based or Chinese-speaking origin for the threat group.
Related Posts:
- “Lazarus Stealer”: A New Android Trojan Is Stealing Financial Data from Russian Banks
- Google Play Store Alert: New Phishing Apps Bypass Security, Stealing Crypto Wallet Seeds
- Malicious Packages Stealing Crypto Credentials: A Warning for Developers
- Crypto Tax Scam Sweeps Europe: Fake Government Sites Drain Wallets Via Seed Phrase Theft & Malicious Web3
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
