According to Ars Technica, the "clipper" malware app "masqueraded as a legitimate cryptocurrency app", and "worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers".
"As a result, people who meant to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers", Ars Technica reported, adding that the malware "impersonated a service called MetaMask" on the Google Play store.
Typically, cryptocurrency wallet addresses are long strings of characters for security purposes. However, it can also intercept bitcoin (BTC) and ethereum (ETH) wallet address copied to the clipboard.
Eset says it spotted the fake MetaMask app on the Play Store shortly after it appeared on February 1st. ESET reported the app to Google, and it was taken down. While there is a legit website called MetaMask that offers "a secure identity vault, providing a user interface to manage your identities on different sites and sign blockchain transactions", there are only add-ons available for Chrome, Firefox, Opera, and the fearless browser. This app, though, was detected by ESET as malicious and when ESET Android security researcher Lukas Stefanko performed an analysis, it was discovered to be stealing a user's cryptocurrency using two different attack methods.
Update your Android device in a timely fashion, and install a "reliable" security app on your phone.
Do not sideload apps. When installing apps, stick to those listed in the Google Play Store.
If the developer of an app listed in the Google Play Store does not have a website, stay away.
Double check all transactions made online involving important financial matters.