Google’s official Play Store has been caught hosting malicious apps that targeted Android users with an interest in cryptocurrencies, researchers reported on Thursday.
In all, researchers with security provider ESET recently discovered two fraudulent digital wallets. The first, called Coin Wallet, let users create wallets for a host of different cryptocurrencies. While Coin Wallet purported to generate a unique wallet address for users to deposit coins, the app in fact used a developer-owned wallet for each supported currency, with a total of 13 wallets. Each Coin Wallet user was assigned the same wallet address for a specific currency.
“The app claims it lets users create wallets for various cryptocurrencies,” ESET Malware Researcher Lukas Stefanko wrote in a blog post. “However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets—a classic case of what we named wallet address scams in our previous research of cryptocurrency-targeting malware.”
The app was available from February 7 to May 5. The full name was Coin Wallet—bitcoin, Ripple, Ethereum, Tether. During its tenure, it was installed more than 1,000 times.
A second fraudulent Android wallet used the name “Trezor Mobile Wallet,” in an attempt to impersonate the widely used hardware cryptocurrency wallet Trezor. The app then instructed users to enter log-in data and sent it to a server controlled by the developers. Multiple security layers built into real Trezor wallets prevented any credentials entered from accessing legitimate accounts. Still, any email addresses or other personal data could potentially be used in phishing attacks.
Stefanko said the fake Trezor app listing on Play appeared to be trustworthy at first glance because the name, developer name, app category, app description, and images all seemed legitimate. It also appeared as the second result when searching Play for “Trezor.”
Once installed, however, it was easily identified as a fake. The icon shown on phone screens was distinctly different than the genuine Trezor app and even showed the words “Coin Wallet” in it. It’s not hard to see why it was spotted as a fake in this Reddit forum, dated May 12. Stefanko said the app was uploaded to Google Play on May 1. A Reddit user reported it had “50+ downloads” when it was outed as fake.
Both apps connected to the same coinwalletinc[.]com domain. Google has since removed both apps from Play.
The discovery comes as the price of bitcoin surged earlier this month to its highest level since last July. “Not surprising,” Stefanko wrote, “cybercrooks were quick to notice this development and started upping their efforts in targeting cryptocurrency users with various scams and malicious apps.”