Inside money, markets, and big tech

As Bitcoin surges, hackers rush to spread cryptocurrency malware on Google Play

One app pretended to be a Trezor wallet

google, playstore, cryptocurrency, malicious

An unfortunate consequence of Bitcoin’s price revival in recent weeks is the resurgence of cryptocurrency malware on Google Play.

ESET security researchers, have verified that there were at least two apps on Google Play specifically designed to steal users’ coins. One such app, called Trezor Mobile Wallet, was masquerading as an app version of the popular hardware wallet, Trezor.

After analyzing the app, researchers found that it can’t actually do any harm to Trezor users. But it is connected to another fake wallet called “Coin Wallet,” which does have the potential to scam unsuspecting users out of money.

The fake Trezor app was uploaded on May 1, 2019, and appeared second in the search results behind Trezor’s legitimate app, ESET security researcher Lukas Stefanko points out.

Since it made it to Google Play (where software has supposedly undergone seuciroty checks), there is no reason to believe it is a fake app. It even features imagery and materials that belong to the real Trezor app.

fake, Trezor, wallet, cryptocurrency,
Credit: We Live Security, ESET
Fake Trezor wallet app listing on Google Play

That said, once it’s installed, the app’s homescreen icon actually has a “Coin Wallet” logo as opposed to Trezor’s. It’s here that any mention of Trezor ends.

When the user opens the app a login screen appears, which is used to phish for users’ sensitive data. Stefanko says it’s unclear what the login credentials will be used for, but all this data is purportedly sent to the scammers’ servers.

Credit: We Live Security, EST
Password and username forwarded to Coin Wallet (attacker) servers

The Coin Wallet app, though, is much more nefarious. It implements a simple wallet address scam; contrary to depositing funds into the Coin Wallet app as users are led to believe, they are tricked into transferring their cryptocurrency into the scammer’s wallet.

The most terrifying part is that both these apps were made based on templates that can be sourced online for $40. The templates aren’t malicious by nature as they are designed to generate a generic cryptocurrency wallet app. This template, however, can be modified by attackers to divert a user’s cryptocurrency funds into their wallets.

This isn’t the first time that cryptocurrency scamming apps have been found on Google Play. Around this time last year, Google Play was suffering an epidemic of sorts, awash with apps designed to steal cryptocurrency from unsuspecting users.

Thankfully on this occasion, at the time of writing both apps appear to have already been removed from Google Play.

Published May 23, 2019 — 10:25 UTC