You could be cheated out of your cryptocurrency by sending it to an alleged prince in dire need of help. Or you could download a fake crypto app from Apple’s App Store or Google Play that masquerades as a popular wallet.
In this form of phishing, users enter their passphrases and private keys into the fake app, making it possible for the app creator to steal their crypto.
It’s a common scam that succeeds despite the review processes of Apple and Google in their app stores. In a recent investigation with CoinDesk, the ExpressVPN Digital Security Lab helped to identify a number of these fake apps.
[Know your privacy risks. Subscribe to the ExpressVPN Blog Newsletter.]
What is a crypto wallet?
Hardware wallets are small devices, often resembling a USB stick, where you store the private keys or credentials to access your crypto. That could be Bitcoin, another rising currency like Cardano, or multiple assets. By plugging a hardware wallet into your device and authenticating, you can conveniently access and trade your crypto.
This method of accessing crypto assets is considered extremely secure. Hardware wallets are classified as “cold storage,” meaning your private keys are never exposed to the internet. Instead, they are safely in your pocket or a safe. Since the wallet is protected by a passphrase or some other form of authentication, someone who steals or finds your wallet would still not be able to access your keys.
Though the main reason to use a hardware wallet is to isolate your private keys from software, there are some hardware wallets that communicate through apps and there are also software-based crypto wallets that don’t require separate hardware.
Due to the complexity of crypto technology and the sheer multitude of options, consumers may not know the difference between all the options or truly understand that, for example, a hardware wallet like Trezor doesn’t have an official app in Apple’s App Store.
How do fake crypto wallet apps work?
First, the user has to be tricked into downloading the app. A thief might create an app using the logo and website of a reputable crypto wallet maker. Someone who comes across the app would gain confidence in its legitimacy from these characteristics, especially if it is found in Apple and Google’s marketplaces.
Going further, the app maker could target a known user of a hardware wallet (or any other crypto wallet) to download its supposed app via email or text message. Once the user has the app installed, all the scam wallet creator needs is for the user to input their passphrase and private keys. Though the user may think they are using the app to make a transaction or otherwise update their wallet, their private credentials have been exfiltrated to a scam server somewhere on the internet.
How common are crypto scam apps?
These scams are very common and seem to be growing. There are likely some of these fake apps in the Apple and Google app stores right now.
Last month, blockchain news site CoinDesk contacted Sean O’Brien, head researcher at the ExpressVPN Digital Security Lab, to analyze an app that appeared to be from Trezor, the most popular hardware wallet maker. The app used Trezor’s logo and linked to its real website but didn’t have any real functionality.
When users entered their passphrase into the app, any text they typed was sent directly to the app creator’s server. Tests of the network traffic confirmed this and also identified the location of the server, which also hosted a scam for BC Vault, another crypto wallet.
Digital Security Lab also tracked down a number of fake apps bearing the names of crypto brands Cardano, Exodus, Polkadot, and Coinbase. CoinDesk reported these findings to Apple and Google, as well as the web hosting services connected to these apps. The apps have since been removed and all of the associated websites have been taken down.
Read more: Got a tip on privacy issues? Let Digital Security Lab know anonymously
How to identify and avoid fake crypto apps
App stores depend upon the information volunteered by developers who upload an app for review. If an app isn’t really representing a legitimate product, it has to be caught by Apple or Google before it is published. When developers are dishonest or outright impersonators, the false information will remain in the app listing until the app is reported to Apple or Google and removed by them.
In the world of cryptocurrency, there are a lot of fakes pretending to be legitimate versions for popular wallets, like Trezor, or exchanges like Coinbase. The information in listings for these apps, or any apps related to finances, should be heavily scrutinized by consumers. You can’t trust that the developers have been honest about the privacy of the app, let alone its security. Only install crypto wallet apps if absolutely necessary and recommended by the official product vendor.
When you’re evaluating an app in Apple’s App Store or Google Play, pay attention to the details in the listing. Take your time and don’t assume the app is legitimate just because of its name – also evaluate the developers and whether they seem trustworthy. Although reviews can be bought and can’t be completely trusted, look for one or two-star reviews and see if other users have already fallen prey to the scam and have left a bad review.
If the information in an app listing doesn’t match the information on the official website for a product, stay far away from that app. If users looked up the creators of the scam Trezor and Cardano apps in a search engine, for example, they might have noticed the names in those app listings had nothing to do with the official products or currencies. In the case of Trezor, there is no official app for iOS at all.
Consumers should also be wary of common identifiers of phishing scams such as typos, broken links, and unusual contact information. Follow our pointers for avoiding phishing attacks while applying those tips to this new, app-based context.
Read more: All in your head: Creating a Bitcoin ‘brainwallet’ with Diceware