In May 2019 the value of the bitcoin reached the highest point since September 2018. In this sense, the cybercriminals noticed this increase and began to increase their efforts to attack Criptocoins users through scams and malicious applications. ESET Latin America’s research laboratory, a leading proactive threat detection company, analyses the existence of fake criptocoins applications in Google Play.
Simulating being a mobile wallet for Trezor, the app was loaded to Google Play on May 1, 2019 under the name “Trezor Inc” as a developer. At first glance the application page on Google Play seems to be reliable if you look at the name of the app and its category, the developer’s name, the description of the app and images. At the time of the analysis of ESET, the fake application even appears as second result to the search of the term “Trezor” in Google Play, just after the official app of Trezor.
A Reddit user was the one who detected the malicious application simulating being the popular Criptocoins Trezor hardware wallet in Google Play. The fake application had the name “Trezor Mobile Wallet”. The official hardware wallet is called “Trezor Manager” and requires physical manipulation and authentication using a PIN.
After the installation of the fake application, the icon that appears on the user’s screen differs from what is seen in Google Play, which serves as an indicator of something false. The installed application icon has the name “Coin Wallet”.
When users run the application, a generic registered screen is deployed, not to mention anywhere to Trezor. This is another indicator that the application is legitimate. The generic screen is used to steal entry credentials, although it could not determine which credentials and what possible use the attackers would give. Whatever information the user enters in those fields, the information will be sent to the attacker’s server.
After analyzing the fake application, ESET discovered that it does not do any damage to users of Trezor due to the multiple layers of security of the official application. In addition, it is connected to a fake Criptocoins wallet app called “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether“, which is able to deceive trusted users without money. On the other hand, both fake applications were created on the basis of the template of an application that is sold online.
Coin Wallet, meanwhile, contains a link to Google Play and was available from February 7, 2019 to May 5 of the same year, under the name of “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether”. During that time, the app was installed by more than 1000 users. Their scam worked by making them believe that the application generated a unique wallet address in which users could transfer their currencies. In fact, this address belonged to the attackers ‘ wallet, being that only they had the private key that is needed to access those funds.
In the event that Bitcoin continues to grow, it is expected that more criptocoins scams will emerge in the official Android App Store. ESET recommends following certain security principles when installing applications, especially if there is money involved:
- Only rely on financial and related apps to Criptocoins if a link to the app appears from the official service site
- Only enter sensitive information on online forms if you are sure of the security and legitimacy
- Maintain The updated devices
- Use a reliable mobile security solution to block and remove threats
ESET reported the fake application of Trezor to the company and to the security team of Google. Trezor confirmed that it did not represent a direct threat to its users. However, they did express concern about the email addresses collected through fake applications like this and the fact that they can then be used for phishing campaigns targeted at Trezor users. At the moment neither the fake app of Trezor nor the app Coin Wallet are available in Google Play.