Researchers have found two apps masquerading as cryptocurrency apps on Android’s app store, Google Play.
One of them was largely a dud. The second was designed to steal cryptocurrency, the researchers said.
Security firm ESET said one of the two fake Android apps impersonated Trezor, a hardware cryptocurrency wallet. The good news is that the app couldn’t be used to steal cryptocurrency stored by Trezor. But the researchers found the app was connected to a second Android app that could have been used to scam funds out of unsuspecting victims.
Lukas Stefanko, a security researcher at ESET — who has a long history of finding dodgy Android apps — said the fake Trezor app “appeared trustworthy at first glance” but was using a fake developer name to impersonate the company.
The fake app was designed to trick users into turning over a victim’s login credentials. Uploaded to Google Play on May 1, the app quickly ranked as the second-most popular search result when searching for “Trezor” behind the legitimate app, said Stefanko. Users on Reddit also found the fake app and reported it as recently as two weeks ago.
According to Stefanko, the server where user credentials were sent was linked to a website linked to another fake wallet, purportedly to store cryptocurrency, and also listed on Google Play since February 25.
“The app claims it lets its users create wallets for various cryptocurrencies,” said Stefanko. “However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of what we’ve named wallet address scams in our previous research into cryptocurrency-targeting malware.”
Both apps were collectively downloaded more than a thousand times. After ESET contacted Google, the apps were pulled offline the next day.
- Half a million Android users tricked into downloading malware from Google Play
- Security researchers find over a dozen iPhone apps linked to Golduck malware
- A powerful spyware app now targets iPhone owners
- Google warns app developers of three malicious SDKs being used for ad fraud
- Apple tells app developers to disclose or remove screen recording code
- Apple restores Google’s internal iOS apps after certificate misuse punishment