Lukas Stefanko, a researcher on mobile security and privacy matters, unearthed multiple fake phishing apps that dealt with cryptocurrency on our favorite, Google PlayStore.
The uncovered phishing apps posed as cryptocurrency wallets for NEO, Tether and for accessing Ethereum (ETH), MetaMask. They were designed to phish users’ mobile banking credentials and credit card information.
Though now removed from PlayStore, these apps when installed and launched requested the user’s private key and wallet password.
The below given apps were fake wallets:
While the fourth was a malicious app that after launch, requests from the user their private key and wallet password.
The wallets worked in a way that the attacker’s public address is shown to the victim without user’s access to private key. The key is with the phisher. The user deposits funds into the address of the phisher but can’t withdraw the funds because the key is not with them.
With modern-day app building softwares, no necessary coding requirements are needed. Anyone, with any intent, can make apps that could disrupt thousands of lives. Like the above shown apps that had thousands of combined downloads
‘What concerns me the most is that these fake wallets were created using Drag-n-Drop app builder service without any coding knowledge required. That means that – once Bitcoin price rises and starts to make it into front pages – than literally anyone can “develop” simple but effective malicious app either to steal credentials or impersonate cryptocurrency wallet.’ Luke Stefanko
A stark reminder that evil can’t be stopped altogether, it can only be kept at bay.