Four More Malicious Cryptocurrency Apps on Google Play

Bad news again for Google Play Store, four more fake, malicious cryptocurrency apps have been identified this week.

HackerCombat had reported, two days ago, of a Trojanized app with more than 5,000 installs being detected in the Google Play store. Now, four more fake apps have been discovered, and that too by the same security researcher who had found the Trojanized app.

Security researcher Lukas Stefanko, who discovered these four fake apps, which masquerade as cryptocurrency wallets for NEO, Tether, and MetaMask, has written a detailed blog post on the issue. He writes, “Attackers are not only interested in mobile banking credentials and credit cards information to get access to victim’s funds, but also in cryptocurrency. Recently, I found four fake applications on Google Play Store that tried to trick users either in to luring their credentials or impersonating cryptocurrency wallets. These threats imitate legitimate services for NEO, Tether and MetaMask.”

These apps, which had managed to get a few hundred installs in total, have been there on Google Play since mid-October.
The four fake apps fall into two categories- the phishing category and the fake wallets category. The fake MetaMask app falls in the phishing category, in which the malicious app, after being launched, asks the user his private key and wallet password. The other three apps come in the fake wallets category; two pretending to be NEO wallets and the third as Tether wallet.

Stefanko explains the functionality of the fake apps- “Fake cryptocurrency wallets do not create new wallet by generating public address and private key. These malicious apps only display attacker’s public address without user’s access to private key. Private key is owned by the bad guy. Once the fake app is launched, user thinks that app already generated his public address where user can deposit his cryptocurrency. If user send his funds to this wallet, he is not able to withdraw them because, he doesn’t own private key. For this purpose, I created two different accounts, however in both of them app assign me the same public address, including the QR code.”

Stefanko had promptly reported the fake apps to the Google security team and they were promptly removed.

Though it’s still not clear if these apps have been used to dupe anyone till date, there is something that deserved to be noted, with concern. Stefanko explains that these fake wallet apps were created using Drag-n-Drop app builder service and required no knowledge about coding. Thus, there is a danger lurking- once there is a rise in Bitcoin price and it comes to the front pages, then anyone can, without any coding knowledge or experience, “develop” such simple, effective malicious apps and then use the same to either steal credentials or to impersonate cryptocurrency wallet.

The fake apps are hard to spot; you can spot them only if you pay close attention. A detailed report on The Next Web explains, “They appear to display a public key owned by the user, however, these apps are actually displaying the scammer’s public key and QR code, the private key is also owned by the attacker. The address is the same for every account on this app… This means that any funds deposited into that wallet’s address get sent directly to the scammer’s own wallet. Once this happens the funds can no longer be accessed by the victim.”

To prevent being duped by such fake apps, a user, on installing and logging in to a new cryptocurrency wallet, should make sure that it has loaded his own private key. If he is unable to find his private key, that shows that the app might have a permanent private key, which is indicative of it being a compromised app.