Published on May 23rd, 2019 📆 | 4002 Views ⚑
0Fake cryptocurrency apps crop up on Google Play as bitcoin price rises
ESET researchers have analyzed fake cryptocurrency wallets emerging on Google Play at the time of bitcoinâs renewed growth
May 2019 has seen bitcoin growing, with its price climbing to its highest points since September 2018. Not surprisingly, cybercrooks were quick to notice this development and started upping their efforts in targeting cryptocurrency users with various scams and malicious apps.
One such app was recently spotted on Google Play by Reddit users, impersonating the popular hardware cryptocurrency wallet Trezor and using the name âTrezor Mobile Walletâ. We havenât previously seen malware misusing Trezorâs branding and were curious about the capabilities of such a fake app. After all, Trezor offers hardware wallets that require physical manipulation and authentication via PIN, or knowledge of the so called recovery seed, to access the stored cryptocurrency. Similar constraints apply to its official app, âTREZOR Managerâ.
Analyzing the fake app, we found that:
- it canât to do any harm to Trezor users given Trezorâs multiple security layers;
- it is connected to a fake cryptocurrency wallet app named âCoin Wallet â Bitcoin, Ripple, Ethereum, Tetherâ, which is capable of scamming unsuspecting users out of money; and
- both these apps were created based on an app template sold online.
We have reported the fake Trezor app to Googleâs security teams and reached out to Trezor about the publication of this blogpost. Trezor confirmed the fake app did not pose a direct threat to their users. However, they did express concern that the email addresses collected via fake apps such as this one could be later misused for phishing campaigns targeted against Trezor users.
At the time of writing, neither the fake Trezor app nor the Coin Wallet app are available on Google Play.
The app masquerading as a mobile wallet for Trezor was uploaded to Google Play on May 1, 2019 under the developer name âTrezor Inc.â, as seen in Figure 1. Overall, the appâs page on Google Play appeared trustworthy â the app name, developer name, app category, app description and images all seem legitimate at first glance. At the time of our analysis, the fake app even came up as the second result when searching for âTrezorâ on Google Play, right after Trezorâs official app.
What does it do?
The convincing disguise, however, begins and ends on Google Play. After installation, the icon that appears on usersâ screens differs from the one seen on Google Play, which serves as a clear indicator of something fishy. The icon of the installed app has âCoin Walletâ in it, as seen in Figure 2.
Furthermore, when users launch the app, a generic login screen is displayed, with no mention of Trezor, as seen in Figure 3. This is another indicator we are not dealing with a legitimate app. This generic screen is used to phish for login credentials â but it is unclear exactly what credentials, and what possible use they could be to attackers. Either way, whatever users enter into the fake login form is sent to the attackerâs server, as shown in Figure 4.
Â
As seen in Figure 4, the server used to harvest credentials from the fake Trezor app is hosted on coinwalletinc[.]com. Looking into the domain led us to another fraudulent app, named âCoin Walletâ on its website and âCoin Wallet â Bitcoin, Ripple, Ethereum, Tetherâ on Google Play. This app is described in the following section of this blogpost.
The Coin Wallet app and the fake Trezor app described in the previous section have a lot in common â besides using the same server, they also overlap in code and interface. The Coin Wallet app uses the same icon that we have seen in the fake Trezor app after installation.
On its website, the Coin Wallet app is described as the âWorldâs leading Coin Walletâ, as seen in Figure 5.
The website contains a link to Google Play, where the app was available from February 7, 2019 until May 5, 2019 under the name âCoin Wallet â Bitcoin, Ripple, Ethereum, Tetherâ, as seen in Figure 6. During that time, it was installed by more than 1000 users.
The website also appears to link to Appleâs App Store, but clicking the âAvailable on the App Storeâ button only leads to the URL of the PNG image.
What does it do?
The app claims it lets its users create wallets for various cryptocurrencies. However, its actual purpose is to trick users into transferring cryptocurrency into the attackersâ wallets â a classic case of what we named wallet address scams in our previous research of cryptocurrency-targeting malware.
How this works is that the app pretends to generate a unique wallet address where users can transfer their coins. In reality, this address belongs to the attackersâ wallet, as only they have the private key necessary for accessing the funds. The attackers have one wallet for each supported cryptocurrency â 13 wallets altogether â and all victims with any specific targeted cryptocurrency are given the same wallet address.
Looking at the shared graphic elements of this and the fraudulent Trezor app, it seems that both have been created on the same basis. A Google search for âcoinwallet app templateâ returns a generic âAndroid cryptocurrency wallet templateâ available for $40. The template itself is a benign asset turned malicious in the hands of attackers; however, we see here how such assets may be used by more attackers to create deceptive apps quickly and cheaply.
If bitcoin continues its growth trend, we can expect more cryptocurrency scam apps to emerge in the official Android app store and elsewhere. When installing apps, it is important to stick to some basic security principles â even more so when money is at stake.
- Only trust cryptocurrency-related and other finance apps if they are linked from the official website of the service
- Only enter your sensitive information into online forms if you are certain of their security and legitimacy
- Keep your device updated
- Use a reputable mobile security solution to block and remove threats
Package Name | Hash | Detection |
---|---|---|
com.trezorwalletinc.cryptocurrency | 0021A89588C8CEB885A40FBCCA6DD76D | Trojan.Android/FakeApp.KO |
com.walletinc.cryptocurrency | EE9E4AD693A0F0C9971145FB0FB0B85C | Trojan.Android/FakeApp.KO |
Cryptocurrency | Wallet |
---|---|
BTC | 17jAe7hTZgNixT4MPZVGZD7fGKQpD9mppi |
DOGE | DGf6dT2rd9evb4d6X9mzjd9uaFoyywjfrm |
ETH | 0x69919d83F74adf1E6ACc3cCC66350bEA4b01E92C |
LTC | Lg64xV4Mw41bV3pTKc5ooBJ4QZ81gHUuJ6 |
BCH | qq9cjckr3r9wl5x4f3xcfshpcj72jcqk9uu2qa7ja2 |
DASH | Xu6mkZNFxSGYFcDUEVWtUEcoMnfoGryAjS |
ZEC | t1JKPTwHJcj6e5BDqLp5KayaXLWdMs6pKZo |
XRP | raPXPSnw61Cbn2NWky39CrCL1AZC2dg6Am |
USDT | 0x69919d83F74adf1E6ACc3cCC66350bEA4b01E92C |
XLM | GDZ2AT7TU6N3LTMHUIX6J2DZHUDBU74X65ASOWEZUQGP7JMQ237KDBUX |
TRX | TAm4fPA6yTQvaAjKs2zFqztfDPmnNzJqi2 |
ADA | DdzFFzCqrhswWLJMdNPJK8EL2d5JdN8cSU1hbgStPhxDqLspXGRRgWkyknbw45KDvT2EJJhoPXuj2Vdsj6V6WWM5JABoZ4UhR7vnRopn |
NEO | AJqeUDNrn1EfrPxUriKuRrYyhobhk78zvK |
Gloss