> App Review>Clipper Malware That Replaced Cryptocurrency

First Clipper Malware Was Found on Google Play

By Avery Pacheco, 22/02/2019, updated on 14/01/2022

Malware named "clipper" was found on Google Play. The malware hijacks contents on clipboards and replaces them with contents owned by the attackers. Under cryptocurrency transactions, users may replace copied wallet addresses with addresses owned by the attackers unintentionally.

Generally, address of online cryptocurrency is consisted of long strings due to safety reasons. As a result, people tend to use clipboards to copy and paste the addresses instead of keying in them into the address bar, which has been used as a loophole by clipper malware.


This malware was first discovered on Windows platform in 2017 and then later on Google Play, an Android app store, in the summer of 2018. Now, researchers found this new form of malware on Google Play again.

Though this malware was discovered for a quite short period, it has been operating for a rather long time. Researchers of ESET found one hosted site on “download.cnet.com”, one of the most popular hosted sites across the globe. In August of 2018, the first Android clipper was found it was on sale on the underground hacker forum. Since then, this malware had been discovered in several suspicious app stores.

Detected as Android/ clipper by ESET’s safety solution, the malicious software clipper masqueraded as a legitimate service app named MetaMask. Its main purpose is to steal victims’ credentials and private keys to take over their Ethereum wallets. Nevertheless, it can also replace the copied wallet address of Bitcoins or Ethereum on the clipboards with that of the attackers.

Apart from this, researchers also found Android/ limiter application was inserted by this form of malicious software. And that application was found and reported to Google Play’s security teams and was pulled from Google Play shortly after it was launched in official Android store on February 1st in 2019.

This type of attack targets at users who need service of MetaMask for Android. Its primary purpose is to run applications that decentralize Ethereum instead of running full Ethereum node. However, that service has not yet provided plug-ins which support mobile application programs for desktop browsers such as Chrome and Firefox.

To stay safe from clippers and other Android malwares, it is suggested that:

  • Update your Android device and adopt reliable mobile safety solutions.
  • Keep using official Google Play when downloading applications.
  • Check the existence of official websites of application developers or service providers. If there is no official website, take it as a warning signal.
  • Double check each step involving monetary transactions ranging from sensitive information to money. Keep checking carefully contents copied on the clipboards.