It seems we might never win the battle against fake cryptocurrency apps on Google’s Play Store, as another four have been identified this week.
The apps were masquerading on the Play Store as cryptocurrency wallets for NEO, Tether, and MetaMask. The dodgy apps were uncovered by security researcher Lukas Stefanko and had managed to amass a few hundred installs in total and have been available on the Play Store since mid-October.
They have since been reported to Google and removed from the Play Store, it remains unclear if anyone was duped by any of these apps.
What did they do?
Despite all being wallet styles apps, they fall into two broad categories, phishing apps or fake wallets.
The fake MetaMask app was the only phishing app of the four. After installing and opening the application, it would ask the user for their private key and wallet password.
Once the app obtains this sensitive data, it would send it on to the scammers, siphoning the users’ cryptocurrency funds as they please.
The second group is all fake wallets. Two were pretending to be NEO wallets and the other for controversial stablecoin Tether.
These apps are hard to spot if you don’t pay close attention.
They appear to display a public key owned by the user, however, these apps are actually displaying the scammer’s public key and QR code, the private key is also owned by the attacker. The address is the same for every account on this app.
This means that any funds deposited into that wallet’s address get sent directly to the scammer’s own wallet. Once this happens the funds can no longer be accessed by the victim.
Perhaps most alarming of all is that these apps were created using “AppyBuilder,” a drag-and-drop app builder which requires no coding knowledge to produce a working app.
This means that pretty much anyone could create a basic but malicious app designed to steal cryptocurrency from unwitting victims.
Stefakno recommends that any time you install and login to a new cryptocurrency wallet, make sure it has loaded your own private key. If you can’t find your private key, it’s likely the app has permanent private key that should be considered compromised.
There have been a whole host of illegitimate cryptocurrency apps found on the Play Store in recent months.
Last week EOS developers warned users of a fake version of their own wallet app hosted on the Play Store. Earlier this month, Stefanko also found a Google Play app that used on-screen phishing to steal users’ cryptocurrency exchange login details.
There was even an app that cost over $350 and all you got was a picture of the Ethereum logo.
Published November 14, 2018 — 15:09 UTC