Malicious Wallet App Hack

By Kirsty Moreland

If you’re getting to grips with being your own security, this article on the classic malicious wallet app is for you.

Smartphones present tempting troves of data for hackers. They can carry everything from someone’s most personal data (e.g., e-mails, photos) to crypto assets via mobile wallets. One of the most popular methods for attackers to steal user crypto funds, passwords, and other data is through part of a smartphone that people rarely authenticate — applications. 

On average, 77 percent of mobile users stop using an application – or “app” in short – only 72 hours after downloading it. Many users subsequently leave the apps on their phones without deleting them until a later time, forgetting about it entirely. 

This presents a significant opportunity for an attacker to deploy malicious apps to mobile app stores. In the context of crypto assets, research found 661 blacklisted cryptocurrency apps widely available on Google Play, Apple’s App Store, and other mobile app marketplaces. 

How does it work?

One of the most common methods that these malicious applications harmed users was by posing as a Bitcoin wallet app or Exchange app. 

In one scenario, the hacker’s application would interfere with the native clipboard of the phone. Whenever a user attempted to copy and paste a cryptocurrency address into a wallet app, the hacker’s wallet address would covertly replace the actual intended address. As such, the unsuspecting user would send their crypto assets to the attacker’s wallet. 

Some malignant mobile applications even show pre-set public keys (owned by the hacker) as “newly generated” keys for a victim. Surveillance software could be paired with code that enables a hacker to know the user’s seed phrase, allowing them to strike at an opportune time — like when a considerable amount of assets are in the unfortunate target’s wallet.

Any deposits or transactions sent to the victim would be sent to the attacker.

Similar attacks include the mimicking of exchange apps. For example, before some exchanges actually develop or release a mobile app, hackers can build malicious replicas of exchange apps that masquerade as the official version. Such an attack happened multiple times with the exchange Poloniex, which did not have a formal mobile exchange application until July 2018. 

These fake apps can impersonate official exchanges. Users of these malicious apps who  signed in using their exchange credentials would unknowingly present these to an attacker. This leaves the victim’s crypto assets at the assailant’s mercy.

Another form of malicious crypto apps is a kind that imitates mobile mining wallets. In these cases, apps would pretend to mine a cryptocurrency in the background, encouraging the user to keep the app open. However, they really just embedded malware into the user’s phone, such as surveillance software or code that alters other applications. Other versions of malicious mining apps may just display ads to reap a small profit. 

What you can do to mitigate the risks

The takeaway is that many applications in some of the most popular app stores can be developed and released by hackers targeting unsuspecting victims. There are several steps that users can take to mitigate such vulnerabilities: 

1. Do not download a wallet, exchange, or other crypto app from unverified sources. 
2. Monitor your phone for battery usage. Delete old apps that you do not use. 
3. Always double-check wallet addresses when sending or receiving with your hardware wallet. 
4. Always double-check wallet addresses when sending or receiving with your hardware wallet. 
5. Best to avoid mining applications: While exceptions exist, most likely you’d be installing malware as smartphones aren’t powerful enough for mining purposes. 
6. In the case of exchange apps, check that the website and official documentation of the exchange to ensure it has an official mobile app for your mobile operating system. 
7. Check the number of downloads. Apps with minimal downloads and reviews should be approached with caution. 
8. Always use 2-FA. The use of 2-FA is not a guaranteed defense, but it makes hacks much harder. 
9. Keep apps updated. It is critical to your phone’s security. 

Vigilance on the part of the user is critical. However, in case of cryptocurrencies there is an easy way to protect them. Hardware wallets like the Ledger Nano X and Ledger Nano S can provide many safeguards against malicious wallet apps that otherwise are much more difficult to defend against. 

For example, Ledger wallet seed phrases are generated directly on the device, which is kept offline and cannot be extracted. As such, it remains out of reach for online hacks. Ledger’s generation entropy has even received one of the highest certifications for a random number generator. 

Hardware wallets are also impervious to any attacks on smartphones as sending and receiving addresses need to be verified on the physical device itself. The same applies to a malicious wallet or exchange app that swaps the user’s intended address for the hacker’s whenever they send funds. Physical confirmation on the device is always required. 

Any discrepancy between the interface on the computer or phone and the physical hardware device will raise red flags immediately. 

Constant vigilance is required when handling crypto assets, but hardware wallets implement safeguards that give users fallback options in case something is amiss. Leveraging the use of hardware wallets in combination with your smartphone, hackers will have a herculean task on their hands to try and steal your funds.

Knowledge is power – so keep on learning! If you enjoy getting to grips with crypto and blockchain, check out our School of Block video In the Head of a Scammer.