Fake cryptocurrency apps that scam users out of their digital currency and steal personal details have resurfaced on the Google Play Store.
One app impersonated popular hardware cryptocurrency wallet Trezor, according to researchers at cybersecurity firm ESET. The fake version was designed to harvest credentials and is connected to a fake cryptocurrency wallet app named ‘Coin Wallet – Bitcoin, Ripple, Ethereum, Tether’.
While the illegitimate Trenzor app isn’t able to breach the real Trenzor app’s multiple security layers and steal funds, the connected Coin Wallet app is capable of scamming users out of money.
“We haven’t previously seen malware misusing Trezor’s branding and were curious about the capabilities of such a fake app,” explains Lukáš Štefanko, the ESET researcher who conducted the research.
“After all, Trezor offers hardware wallets that require physical manipulation and authentication via PIN, or knowledge of the so-called recovery seed, to access the stored cryptocurrency.”
The two fake apps have similarities in code and interface, say ESET.
Trezor was uploaded to Google Play on 1 May under the developer name ‘Trezor Inc.’ It came up as the second app on the Google Play store, behind the legitimate version – giving users more reason to trust it.
The Coin Wallet app was available on the Google Play Store from February 2019 and was designed to trick users into sending crypto to a scammer’s wallet. The server used to harvest personal details stolen via the fake Trezor app was hosted on coinwalletinc.com.
“The app claims it lets its users create wallets for various cryptocurrencies. However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of what we’ve named wallet address scams in our previous research into cryptocurrency-targeting malware,” says Štefanko.
ESET says it has reported the fake apps to Google’s security team. Neither are now available on the Play Store.
Trezor told ESET that the fake app did not pose a direct threat to its users, but did express concern that email addresses could be misused in phishing campaigns.
How to avoid fake cryptocurrency apps
For crypto users, Štefanko offers four tips on how to stay safe with cryptocurrencies online:
- Only trust cryptocurrency-related and other finance apps if they are linked from the official website of the service.
- Only enter your sensitive information into online forms if you are certain of their security and legitimacy.
- Keep your device updated.
- Use a reputable mobile security solution to block and remove threats.
The fake apps are the latest in a long line of scams, with bogus apps regularly popping up over the last few years.
£27m stolen by crypto scammers
The latest fake cryptocurrency apps coincide with Bitcoin’s recent price recovery, suggesting scammers are taking advantage of renewed interest in the digital currency. At around £6,000, the Bitcoin price is higher than it has been since July 2018.
If follows the recent warning by the Financial Conduct Authority and Action Fraud that victims have lost over £27m to crypto scams in the last financial year.
“It’s been like the wild west, with get rich quick schemes luring in naive investors who see cryptocurrencies as an easy way to make a quick buck, without fully understanding the underlying technologies of what a true cryptocurrency is, or should be,” said temtum founder and senior cryptography advisor, Richard Dennis.
“Whether through fraudulent means or the failure of teams in delivering their products, people are losing their money and it’s extremely damaging for what is game-changing technology.”