Trezor Fake Google Play App

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 21:06, 24 January 2023 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/trezorfakegoogleplayapp.php}} thumb|TrezorA fake Trezor wallet was avaialble for download and installation through the Google Play store. If the user chose to install the wallet, it would generate a wallet that was already known to the attacker, who could then take all funds. It also harvested email addresses of users. It's unclear how much funds were lost, though the app was d...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Trezor

A fake Trezor wallet was avaialble for download and installation through the Google Play store. If the user chose to install the wallet, it would generate a wallet that was already known to the attacker, who could then take all funds. It also harvested email addresses of users. It's unclear how much funds were lost, though the app was downloaded more than 1,000 times before being removed.

This is a global/international case not involving a specific country.

About Trezor

"The safe place for your coins." "Store your coins with Trezor." "Hardware wallet is the safest way to manage & trade your cryptocurrencies."

"This is not the first time that a fake app has been listed on Google Play. In May 2019, Cointelegraph reported on a malicious Google Play app imitating Trezor wallet." ESET said "We haven’t previously seen malware misusing Trezor’s branding and were curious about the capabilities of such a fake app. After all, Trezor offers hardware wallets that require physical manipulation and authentication via PIN, or knowledge of the so called recovery seed, to access the stored cryptocurrency. Similar constraints apply to its official app, “TREZOR Manager”."

"One such [fake] app was recently spotted on Google Play by Reddit users, impersonating the popular hardware cryptocurrency wallet Trezor and using the name “Trezor Mobile Wallet”." "While the app’s page on Google Play looked legitimate, the researchers said the software itself contains no Trezor branding at all, with a generic login screen phishing for credentials."

"The app masquerading as a mobile wallet for Trezor was uploaded to Google Play on May 1, 2019 under the developer name “Trezor Inc.”, as seen in Figure 1. Overall, the app’s page on Google Play appeared trustworthy – the app name, developer name, app category, app description and images all seem legitimate at first glance. At the time of our analysis, the fake app even came up as the second result when searching for “Trezor” on Google Play, right after Trezor’s official app."

"The app was found by ESET antivirus researchers, who said that they expect more crypto scam apps to enter the Android store as the crypto market grows."

"The convincing disguise, however, begins and ends on Google Play. After installation, the icon that appears on users’ screens differs from the one seen on Google Play, which serves as a clear indicator of something fishy. The icon of the installed app has “Coin Wallet” in it, as seen in Figure 2."

"Furthermore, when users launch the app, a generic login screen is displayed, with no mention of Trezor, as seen in Figure 3. This is another indicator we are not dealing with a legitimate app. This generic screen is used to phish for login credentials – but it is unclear exactly what credentials, and what possible use they could be to attackers. Either way, whatever users enter into the fake login form is sent to the attacker’s server, as shown in Figure 4."

"According to ESET, more than 1,000 users had downloaded one of the dodgy apps. Although it claimed to enable its customers to create wallets for storing their crypto, the software was actually designed to trick them into transferring coins to addresses owned by the attackers."

"(1) it can’t to do any harm to Trezor users given Trezor’s multiple security layers; (2) it is connected to a fake cryptocurrency wallet app named “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether”, which is capable of scamming unsuspecting users out of money; and (3) both these apps were created based on an app template sold online."

"The app claims it lets its users create wallets for various cryptocurrencies. However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of what we named wallet address scams in our previous research of cryptocurrency-targeting malware."

"How this works is that the app pretends to generate a unique wallet address where users can transfer their coins. In reality, this address belongs to the attackers’ wallet, as only they have the private key necessary for accessing the funds. The attackers have one wallet for each supported cryptocurrency – 13 wallets altogether – and all victims with any specific targeted cryptocurrency are given the same wallet address."

"As seen in Figure 4, the server used to harvest credentials from the fake Trezor app is hosted on coinwalletinc[.]com. Looking into the domain led us to another fraudulent app, named “Coin Wallet” on its website and “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether” on Google Play. This app is described in the following section of this blogpost."

“If bitcoin continues its growth trend, we can expect more cryptocurrency scam apps to emerge in the official Android app store and elsewhere.”

"Trezor told the researchers that the fake app did not appear to pose a security threat to its users, but the company said it was concerned that the email addresses collected through the software could be used for phishing attempts in the future."

ESET "reported the fake Trezor app to Google’s security teams and reached out to Trezor about the publication of this blogpost." "Google Play has since removed the apps from its marketplace." "At the time of writing, neither the fake Trezor app nor the Coin Wallet app are available on Google Play."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Trezor Fake Google Play App
Date Event Description
May 23rd, 2019 11:30:00 AM First Event This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

It is unknown how much was recovered.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

Always check and visit the official website of a service. The majority of funds should be stored offline and not on a live wallet application. When setting up a new wallet or upgrading wallet software, never enter your pass phrase or send any funds without first transferring a smaller amount.

References

@Cointelegraph Twitter (Feb 25)

Trezor crypto wallet warns users of doppelgänger scam app on Google Play (Feb 25)

Fake Crypto Wallet App Imitating Trezor Found on Google Play Store (Mar 2)

Fake cryptocurrency apps crop up on Google Play as bitcoin price rises | WeLiveSecurity (Mar 2)

Reddit - Dive into anything (Mar 2)

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Trezor_Fake_Google_Play_App&oldid=485"