QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
MAY 2019
GLOBAL
TREZOR
DESCRIPTION OF EVENTS
"The safe place for your coins." "Store your coins with Trezor." "Hardware wallet is the safest way to manage & trade your cryptocurrencies."
"This is not the first time that a fake app has been listed on Google Play. In May 2019, Cointelegraph reported on a malicious Google Play app imitating Trezor wallet." ESET said "We haven’t previously seen malware misusing Trezor’s branding and were curious about the capabilities of such a fake app. After all, Trezor offers hardware wallets that require physical manipulation and authentication via PIN, or knowledge of the so called recovery seed, to access the stored cryptocurrency. Similar constraints apply to its official app, “TREZOR Manager”."
"One such [fake] app was recently spotted on Google Play by Reddit users, impersonating the popular hardware cryptocurrency wallet Trezor and using the name “Trezor Mobile Wallet”." "While the app’s page on Google Play looked legitimate, the researchers said the software itself contains no Trezor branding at all, with a generic login screen phishing for credentials."
"The app masquerading as a mobile wallet for Trezor was uploaded to Google Play on May 1, 2019 under the developer name “Trezor Inc.”, as seen in Figure 1. Overall, the app’s page on Google Play appeared trustworthy – the app name, developer name, app category, app description and images all seem legitimate at first glance. At the time of our analysis, the fake app even came up as the second result when searching for “Trezor” on Google Play, right after Trezor’s official app."
"The app was found by ESET antivirus researchers, who said that they expect more crypto scam apps to enter the Android store as the crypto market grows."
"The convincing disguise, however, begins and ends on Google Play. After installation, the icon that appears on users’ screens differs from the one seen on Google Play, which serves as a clear indicator of something fishy. The icon of the installed app has “Coin Wallet” in it, as seen in Figure 2."
"Furthermore, when users launch the app, a generic login screen is displayed, with no mention of Trezor, as seen in Figure 3. This is another indicator we are not dealing with a legitimate app. This generic screen is used to phish for login credentials – but it is unclear exactly what credentials, and what possible use they could be to attackers. Either way, whatever users enter into the fake login form is sent to the attacker’s server, as shown in Figure 4."
"According to ESET, more than 1,000 users had downloaded one of the dodgy apps. Although it claimed to enable its customers to create wallets for storing their crypto, the software was actually designed to trick them into transferring coins to addresses owned by the attackers."
"(1) it can’t to do any harm to Trezor users given Trezor’s multiple security layers; (2) it is connected to a fake cryptocurrency wallet app named “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether”, which is capable of scamming unsuspecting users out of money; and (3) both these apps were created based on an app template sold online."
"The app claims it lets its users create wallets for various cryptocurrencies. However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of what we named wallet address scams in our previous research of cryptocurrency-targeting malware."
"How this works is that the app pretends to generate a unique wallet address where users can transfer their coins. In reality, this address belongs to the attackers’ wallet, as only they have the private key necessary for accessing the funds. The attackers have one wallet for each supported cryptocurrency – 13 wallets altogether – and all victims with any specific targeted cryptocurrency are given the same wallet address."
"As seen in Figure 4, the server used to harvest credentials from the fake Trezor app is hosted on coinwalletinc[.]com. Looking into the domain led us to another fraudulent app, named “Coin Wallet” on its website and “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether” on Google Play. This app is described in the following section of this blogpost."
“If bitcoin continues its growth trend, we can expect more cryptocurrency scam apps to emerge in the official Android app store and elsewhere.”
"Trezor told the researchers that the fake app did not appear to pose a security threat to its users, but the company said it was concerned that the email addresses collected through the software could be used for phishing attempts in the future."
ESET "reported the fake Trezor app to Google’s security teams and reached out to Trezor about the publication of this blogpost." "Google Play has since removed the apps from its marketplace." "At the time of writing, neither the fake Trezor app nor the Coin Wallet app are available on Google Play."
A fake Trezor wallet was avaialble for download and installation through the Google Play store. If the user chose to install the wallet, it would generate a wallet that was already known to the attacker, who could then take all funds. It also harvested email addresses of users. It's unclear how much funds were lost, though the app was downloaded more than 1,000 times before being removed.
HOW COULD THIS HAVE BEEN PREVENTED?
Always check and visit the official website of a service. The majority of funds should be stored offline and not on a live wallet application. When setting up a new wallet or upgrading wallet software, never enter your pass phrase or send any funds without first transferring a smaller amount.
@Cointelegraph Twitter (Feb 25)
Trezor crypto wallet warns users of doppelgänger scam app on Google Play (Feb 25)
Fake Crypto Wallet App Imitating Trezor Found on Google Play Store (Mar 2)
Fake cryptocurrency apps crop up on Google Play as bitcoin price rises | WeLiveSecurity (Mar 2)
Reddit - Dive into anything (Mar 2)
