Lukas Stefanko, a Malware researcher and blogger, recently identified four crypto-stealing wallet apps being hosted at the Google Play Store:
“These threats imitate legitimate services for NEO, Tether and MetaMask. I reported these apps to the Google security team and they were promptly removed.”
Stefanko divided the fraudulent wallets into two types: phishing and fake wallets.
The fake MetaMask wallet found by Stefanko uses a phishing attack.
Installing MetaMask and other apps can be somewhat tedious, and a request for setting up a dedicated username and password for an app could easily be confused with a request for existing password info by a neophyte or user not paying adequate attention.
Stefanko found three fake wallet apps, two designed to “transmit and hold” NEO cryptocurrency and one handling Tether.
Stefanko signed up for both of the bad NEO wallet apps, and when he took steps to load the wallets with cryptocurrency, rather than generate a legitimate wallet address, both apps generated identical wallet addresses and QR codes- those of the attacker:
“Once the fake app is launched, the user thinks that the app already generated his public address where the user can deposit his cryptocurrency. If the user send his funds to this wallet, he is not able to withdraw them.”
Stefanko says his main concern is that these apps were all created by scammers using a drag-and-drop app builder, meaning few programming skills are required to create similar fraudulent apps.
Stefano wonders whether the ease of fraudulent app creation could lead to an explosion of app-based crypto-stealing scams in a future crypto bull market where fear of missing out (FOMO) could push many exuberant parties to upload dangerous malware.
As well, reputable hardware wallets often do not support smaller cryptocurrencies, which adds to the likelihood of a trader or user of small cap cryptos being pushed into uploading a questionable software wallet.
In a video attached to the blog post, Stefanko says that one of the fake NEO wallet apps has been downloaded more than 100 times since it was launched in mid-October.
Unlike money transfers completed by credit card, cryptocurrency sent to a bad address cannot be forcibly recovered.