A Google Chrome extension named Shitcoin Wallet is reportedly stealing passwords and wallet private keys according to a security researcher. The said extension is caught injecting JavaScript code on webpages to get private keys and passwords from cryptocurrency portals and cryptocurrency wallets. The extension with Google Chrome extension ID ckkgmccefffnbbalkmbbgebbojjogffn was launch on Dec. 9, 2019.
Shitcoin Wallet lets users manage Ether coins as well as Ethereum ERC20-based tokens-tokens usually issued for initial coin offerings (ICOs), reveals an introductory blog post. Users can use this extension and manage ETH coins from within the browser. They can also install a Windows desktop app should they prefer to manage their funds outside the browser.
But, it appears that the wallet app is not what it promised to be. Director of Security at the MyCrypto Platform Harry Denley discovered recently that the Chrome extension contained malicious code. The extension is dangerous to users in a couple of ways, according to Denley.
First, any funds, be it ETH coins and ERC0-based tokens managed directly inside the extension is at risk, explains Denley. The extension sends the private keys of all wallets made or managed via its interface to a third-party website located at erc20wallet[.]tk., adds Denley. Second, the extension injects malicious JavaScript code whenever the user navigates to five popular cryptocurrency management platforms.
This JavaScript code steals login credentials as well as private keys, and data that it received from the same erc20wallet[.]tk third-party site. The analysis of the malicious code reveals the process as follows:
"Users install the Chrome extension." "Chrome extension requests permission to inject JavaScript (JS) code on 77 websites." "When users navigate to any of these 77 sites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js." "This JS file contains obfuscated code." "The code activates on five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange."
"Once activated, the malicious JS code records the user's login credentials, searches for private keys stored inside the dashboards of the five services, and, finally, sends the data to erc20wallet[.]tk." It appears that the extension is still available for download via the official Google Chrome Web Store. So far, it is not yet clear if the Shitcoin Wallet team creates the JavaScript malicious code or if the Chrome extension was compromised,
Shitcoin Wallet has not yet released any statement about this issue. In light of this issue, it is important to check the type of app that we download or install. We should also be responsible for researching about the apps before we install them, especially if it involves money, or in this case, cryptocurrency.
