Threat Research

SEEDSNATCHER : Dissecting an Android Malware Targeting Multiple Crypto Wallet Mnemonic Phrases – CYFIRMA

Cyfirma
SEEDSNATCHER : Dissecting an Android Malware Targeting Multiple Crypto Wallet Mnemonic Phrases – CYFIRMA

SeedSnatcher (distributed as the “Coin” APK com.pureabuladon.auxes/Coin.apk) is an Android crypto-mnemonic stealer that uses WebView overlays, dynamic class loading, integer-based WebSocket C2 commands, and broad permission abuse to harvest seed phrases, SMS, call logs, contacts, screenshots, and other device data. The campaign is distributed via affiliate links on social platforms (notably Telegram), tracks installs with agent identifiers, and communicates with C2 apivbe685jf829jf[.]a2decxd8syw7k[.]top to exfiltrate stolen assets and control infected devices. #SeedSnatcher #TrustWallet

Keypoints

  • SeedSnatcher is an Android crypto-mnemonic stealer packaged as com.pureabuladon.auxes / Coin.apk and promoted via Telegram using affiliate tracking codes.
  • The malware obtains minimal visible permissions (SMS) from the user, then escalates and enacts capabilities remotely via integer-based C2 commands over a persistent WebSocket to apivbe685jf829jf[.]a2decxd8syw7k[.]top.
  • It abuses overlay and Usage Access permissions to display targeted phishing import screens for specific wallets (Trust Wallet, MetaMask, TokenPocket, Coinbase Wallet, etc.) and validates entries against the BIP39 wordlist to capture usable seed phrases.
  • Capabilities include SMS interception, call log and contact exfiltration, file/gallery scraping with screenshot prioritization, remote call/USSD execution, forced uninstall prompts, and device profiling for targeted attacks.
  • Dynamic class loading and WebView-based decoys (loading m[.]weibo[.]com) are used to evade analysis and present a legitimate interface while the real payload runs from dynamically loaded DEX modules.
  • The campaign infrastructure uses privacy-shielded, short-lived domains (registered via NameSilo) and Cloudflare, indicating disposable C2 nodes and an organized, multilingual operator team likely tied to a Chinese-speaking ecosystem.

MITRE Techniques

  • [T1456 ] Drive-by Compromise – Used to distribute the malicious APK via social channels and sideloading. (‘distributed through social channels such as Telegram’)
  • [T1541 ] Foreground Persistence – Keeps a persistent foreground presence to maintain execution. (‘Foreground Persistence’ referenced in MITRE mapping)
  • [T1603 ] Scheduled Task/Job – Abuses alarms and scheduling to ensure long-term background execution. (‘abuses advanced permissions like alarm scheduling and modifies system settings to run continuously in the background’)
  • [T1624 ] Event Triggered Execution – Triggers functionality via system broadcasts and event listeners. (‘Registered an Action SMS_RECEIVED Action Triggered’)
  • [T1624.001 ] Broadcast Receiver – Uses broadcast receivers (e.g., SMS_RECEIVED) to intercept messages and trigger processing. (‘It registers an SmsReceiver for the SMS_RECEIVED broadcast’)
  • [T1628 ] Hide Artifacts – Employs user-evasion and artifact hiding techniques to avoid detection. (‘keeps visible prompts to a minimum to avoid suspicion’)
  • [T1628.002 ] User Evasion – Minimizes visible permission prompts and deceives users to avoid raising suspicion. (‘intentionally keeps visible prompts to a minimum to avoid suspicion’)
  • [T1406 ] Obfuscated Files or Information – Uses dynamic DEX loading and packing to hide malicious payloads. (‘dynamic class loading, first executing a placeholder (fake_dex.jar) and then asynchronously loading the real payload’)
  • [T1630 ] Indicator Removal on Host – Includes uninstall-triggering capabilities to remove malicious traces. (‘can remotely trigger the uninstallation flow for any targeted package’)
  • [T1630.001 ] Uninstall Malicious Application – Forces an uninstall prompt on the user to remove security apps. (‘invoking the system’s delete package intent, it forces an uninstall prompt’)
  • [T1417 ] Input Capture – Captures user input via forged wallet import screens and WebView overlays. (‘serves highly targeted counterfeit recovery pages, tailored to the victim’s preferred crypto wallet, in order to harvest seed phrases’)
  • [T1517 ] Access Notifications – Monitors app launches and usage to trigger overlays and phishing flows. (‘tracks a predefined list of cryptocurrency apps and triggers deceptive prompts the moment those apps launch’)
  • [T1414 ] Clipboard Data – Harvests clipboard contents and other typed input elements to capture sensitive data. (‘BIP39 Dictionary Enforcement … to validate every mnemonic word the victim enters’)
  • [T1418 ] Software Discovery – Enumerates installed apps and usage to identify target wallets. (‘inspects auto start status, app usage counts, and sensitive permissions covering storage, contacts, SMS, call logs, and usage statistics’)
  • [T1426 ] System Information Discovery – Collects device metadata (battery, lock state, display, IP) for profiling. (‘extracts comprehensive device information, including system identifiers, language settings, screen dimensions… and the public IP address’)
  • [T1422 ] Internet Connection Discovery – Detects network connectivity and public IP for profiling. (‘obtains public IP address through https://txt[.]go[.]sohu[.]com/ip/soip’)
  • [T1420 ] File and Directory Discovery – Scans storage and enumerates gallery files and screenshots for exfiltration. (‘systematically enumerates images from the device’s gallery, collecting IDs, filenames, file paths, and timestamps’)
  • [T1430 ] Location Tracking – Collects location-related data as part of device profiling and discovery routines. (‘Device Profiling … inspects … screen dimensions, hardware details, software version…’)
  • [T1424 ] Process Discovery – Monitors running applications and processes to detect wallet activity. (‘GET_TASKS and PACKAGE_USAGE_STATS give the malware continuous visibility into which apps the user is running’)
  • [T1636.002 ] Call Log – Exfiltrates call history and can perform remote call actions or forwarding. (‘queries the device’s call log and extracts each entry’s ID, phone number, contact name, call date, duration, and call type’)
  • [T1636.002 ] Contact List – Harvests full contact lists and uploads them to the C2. (‘iterates through the device’s contact database, extracting each contact’s ID, display name, and associated phone numbers’)
  • [T1636.004 ] SMS Messages – Intercepts incoming SMS for OTP harvesting and stores messages locally for later exfiltration. (‘registers an SmsReceiver for the SMS_RECEIVED broadcast … Each SMS is parsed … and forwarded to a remote server’)
  • [T1636.004 ] Accounts – Accesses stored accounts and interacts with authenticated data (GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS). (‘Abuses the GET_ACCOUNTS and AUTHENTICATE_ACCOUNTS permissions to access stored account information’)
  • [T1616 ] Call Control – Executes remote calls or USSD dialling and can manipulate call forwarding. (‘When the C2 sends command 2304 … it performs remote call execution or USSD dialling’)
  • [T1533 ] Data from Local System – Exfiltrates files, images, and screenshots from local storage to the C2. (‘scans device storage and exfiltrates files of interest to the C2 server’)
  • [T1437.001 ] Web Protocols – Uses WebSocket and web protocols for C2 communication. (‘maintains a persistent WebSocket channel with the attacker’s C2 endpoint’)
  • [T1521 ] Encrypted Channel – Uses encrypted channels/Cloudflare-backed infrastructure for C2 and obfuscation. (‘use of Cloudflare name servers reflects an effort to mask backend hosting’)
  • [T1481 ] Web Services – Loads external web content (m[.]Weibo[.]com) via WebView as decoy and to present legitimate interfaces. (‘silently loads https[:]//m[.]Weibo[.]com in a WebView, using a trusted domain to present a legitimate appearance’)
  • [T1646 ] Exfiltration Over C2 Channel – Sends harvested mnemonics, SMS, contacts, and files over the persistent WebSocket C2 channel. (‘immediately exfiltrates it back to the server’ and ‘data-exfiltration pipeline, maintaining a persistent “ping-pong” heartbeat’)
  • [T1662 ] Data Destruction – Includes capabilities to delete or uninstall apps and potentially remove traces. (‘can remotely trigger the uninstallation flow for any targeted package’)
  • [T1582 ] SMS Control – Implements SMS sending/backdoor functionality and interception for account takeover. (‘The function “Z” acts as a Send SMS backdoor’ and ‘registers an SmsReceiver for the SMS_RECEIVED broadcast’)

Indicators of Compromise

  • [SHA256 ] malware binary – e80c3e4fc6ad0134bec666226561e138cdac4381740123d98f6662e72bf268db (Coin.apk)
  • [Domain / URL ] C2 and infrastructure – apivbe685jf829jf[.]a2decxd8syw7k[.]top (C2), a2decxd8syw7k[.]top (registered via NameSilo)
  • [Package Name ] Android package – com.pureabuladon.auxes (installer label for the Coin/SeedSnatcher APK)
  • [File Names ] phishing templates and payloads – input_words_trust.xml, input_words_meta.xml, and other XML wallet template files (and 5 more XML templates listed in YARA)
  • [Filenames ] dynamic payload and loader – fake_dex.jar (placeholder DEX), Coin.apk (observed installer filename)

Read more: https://www.cyfirma.com/research/seedsnatcher-dissecting-an-android-malware-targeting-multiple-crypto-wallet-mnemonic-phrases/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint