- As ever, fraudulent crypto wallets are finding their way onto app stores and scamming users out of funds.
- Some crypto scam apps are repackaged after being taken down and sneak past Apple and Google's app store vetting processes.
- Before using any cryptocurrency wallet, it's imperative to verify its authenticity and reputation.
The developers labelled it "Data Not Collected" with Apple's "nutrition labels," which are meant to let users of the app store easily identify what information apps will gather about them and make decisions accordingly.
There’s just one problem: Trezor doesn’t have an app.
This app was leveraging the Trezor brand to execute one goal – steal users’ Trezor passphrases and private keys via phishing, according to analysis conducted by Sean O’Brien, principal researcher at ExpressVPN Digital Security Lab.
The app was small and simple, consisting of three screens, but did nothing other than steal your Trezor passphrase or seed phrase.
CoinDesk learned of the existence of this scam app and sent it to O’Brien to investigate.
“The app will send any data the user enters into the ‘Key’ field to a server that is not Trezor.io when you click ‘Create My Vault’,” O’Brien reported to CoinDesk.
The fake crypto app has since been removed from the app store by Apple, but it was up for days. During that time it garnered multiple one-star reviews, with users explicitly calling it a scam. Still, it seemingly managed to avoid Apple’s app-checking process.
New bull market for crypto scammers
Over the years, a pattern has emerged: When there are booms in crypto, an increase in fraudulent apps isn’t far behind.
It’s not just an Apple problem. CoinDesk also identified multiple fake wallet apps that were stealing users’ data and keys in the Google Play store.
“There will absolutely be more scam apps (and fraud in general) during boom times,” said Richard Sanders, lead investigator and principal at CipherBlade, a blockchain investigation firm.
“The reason for this is that the boom times usher in a new wave of people that want to ride the hype train and make some money. The issue with that, as is the fundamental issue that results in the overwhelming majority of scams/hacks, is these people fail to do research on what they're investing in.”
In following the traffic of the fake Trezor app, O’Brien saw the text entered into the "Key" field by the app user being sent to the domain https://www.data-bcvault.com – a scam website hosted by Wix.com that is pretending to be “BC Vault,” another hardware wallet product.
CoinDesk has alerted Trezor, Apple, Wix and the scam site’s cloud computing provider of our findings. Wix has since disabled the site.
Google and Apple app store crypto scams galore
Beyond the Trezor clone, other fraudulent cryptocurrency wallets have taken up space on popular app stores. The constant re-packaging of these crypto scam apps into different forms, imitating different companies, means they sometimes make it past the eyes of gatekeepers.
Some of these scams, embedded like financial landmines in the app stores, are better disguised than others.
Jayden (a pseudonym) told CoinDesk he lost ADA to a fake Cardano wallet at the end of February. At the time, it had a 4.3 rating because “there were bots that were driving up the ratings, but I didn’t realize that at the time,” Jayden told CoinDesk.
By the time CoinDesk viewed the app on the store, Google Play had scrubbed the fake reviews and the app was hovering just above 1 star.
Google Play’s support has since removed the app, along with another that took its place, which CoinDesk also inquired about as part of its investigation.
Still, there are other fraudulent crypto apps on Google Play that have all the markings of fly-by-night money grabs.
The so-called Staked Wallet, which promises users staking rewards for cryptocurrencies that aren’t even proof-of-stake, is one of them. Launched last year, the app has a 1-star rating with multiple reviews calling it a scam and complaining that they can’t even open the wallet to access funds.
CoinDesk had not received a response by press time from Google regarding its vetting process for cryptocurrency apps in the Play Store.
O’Brien reviewed additional apps on the Google store purporting to be crypto wallets but similarly stealing users' keys and passphrases. Cardano wallets were one example of this, with multiple scam apps (at least five) being pushed from the same site, cardano-explorere.com.
“The website is still up and capable of scamming even in the browser via phishing, if it is not still being used embedded in apps,” said O’Brien. “It harvests for keys or passphrases via simple HTML forms and then just shows the user an error.”
Two others, com.dusttp.exwalle and com.stexosll.walle, use the same exploitative mechanism but were not the same developers as the Cardano wallets, according to O’Brien. Both scam apps were still live last week when O’Brien conducted his research.
Reddit users compile lists of these kinds of apps, sort of a grassroots investigation when nefarious apps make it past the Apple and Google gatekeepers. Users have documented fake apps for both Coinbase and Polkadot, for example.
“The main levers sought by attackers to choose an application as an attack vector are most of the time: brand reputation, app or topic popularity,” said Esther Onfroy, co-founder of Defensive Lab Agency and founder of Exodus Privacy.
Apps like those imitating Trezor, in the midst of the crypto boom, hit all those checkmarks.
To avoid scam apps, don’t trust, verify
One argument drummed up against decentralized or open marketplaces for software zeroes in on their inherent lack of quality control. If there are no centralized gatekeepers to keep out dangerous software, the argument goes, then everything (and anything) is made readily available. The risk of downloading something malicious is high; but then, that risk is also, presumably, better understood and expected.
On the other hand, in spite of their gatekeeping features, centralized marketplaces still suffer from the same problems as evidenced in this article: Those undesirable apps can still slip through and go unnoticed until something catches the eye of the company running the store.
"After decades, phishing is still a powerful method of attacking users because it preys upon their notions of trust,” said O’Brien. “These apps employ phishing via wallet apps, building trust by penetrating the smartphone software supply chain. Consumers do not expect an app from the iOS or Google app stores to grab their credentials and run off with them, though the increasing presence of these apps makes it clear that there is a persistent threat where cryptocurrency is concerned."
What trusting app users need to understand is those wallets that made it through Google’s screening process aren’t necessarily legitimate. It’s still a best practice not to blindly trust wallet software, even if it makes it onto an app store.
“Google is reactive and Apple is proactive, so scams on Google only get taken down if they get big and Google notices,” Dustin Dettmer, a software developer who has published apps on both stores, told CoinDesk.
Sanders said the dynamic for how apps are vetted is a bit complicated and depends on whether it is Apple or Google. Sometimes the apps are legitimate companies that get compromised and sometimes it is just a failure of diligence on the part of Apple or Google. Sanders noted scam apps seem far more common on Google.
“It's inexcusable that this has been a known issue for years with billion-dollar companies failing to take any tangible step on it,” said Sanders.
“This is day-trader level knowledge stuff: The freshly registered Google account that submits an advert for a Metamask website (lookalike) is not legit. This is baseline, entry-level, minimal-experience diligence these companies should be doing. It is rare I call out a company as part of the problem for cryptocurrency losses, which should be a strong indicator of how serious of an issue it is.”
"Given the tangible damage that imposter wallet apps can do, they should be subject to serious scrutiny,” said O’Brien. “App marketplaces would be a better place if wallets and other financial apps were put under the microscope, so to speak, before publishing in an app store.”
Onfroy, of the Defense Lab Agency, developed a product to address issues like this.
Called ScatterScam, it allows editors to submit their applications and, once they do so, ScatterScam computes and stores the fingerprint of each official application.
“ScatterScam continuously scans numerous application markets and websites (Google Play, F-Droid and many other alternative stores) and compares each available application against trusted Fingerprints,” said Onfrey. “The application editor is notified as soon as a fake version of its application has been detected.”
Once they’re notified, developers can get insights into the behavior of the counterfeit versions to know the risks its business and users face, alert its user community, and ask for a takedown.
When asked whether Google could be doing more to police fraudulent crypto apps in the Google Play Store, Onfroy said that “for sure Google could do more but it does not and could even use the same technical methods that ScatterScam does.”
Tech and security, not price predictions
Sanders, who investigates cases of fraud and scams like these, said the key disconnect he sees is that people invest money, but not time. In any other market, it'd be inherently expected to invest time into what you're considering investing in.
“The irony is that it requires more time investment with cryptocurrency (due to the heightened risk of theft, due to the loss of centralized protections etc.) than it would require time investment in, say, precious metals or stocks – and I've observed people often invest less time into researching digital assets,” he said.
“Consumers should use the same level of caution they would in a large purchase,” O’Brien added. “Installing and trusting an app too quickly could be disastrous if your coins end up in the hands of criminals.”
The "2021 Crypto Crime Report" from Chainalysis, a prominent blockchain analytics firm, found that while scams remain the highest-grossing form of cryptocurrency-based crime, “total scam revenue fell drastically in 2020, from roughly $9 billion to just under $2.7 billion.”
But the report found the number of individual payments sent to scam addresses rose by about 2.3 million, which suggests the actual number of victims “rose by more than 48%” even as scam revenue fell overall.
The report attributes this counterintuitive shift to there being “no large-scale Ponzi schemes like those we saw in 2019," such as PlusToken, an East Asian Ponzi that stole billions in Bitcoin and other cryptocurrencies.
But it does show that more people are falling for scams than in previous years.
There are simple steps people can take to avoid scam apps, but the first, according to Sanders, is to slow down. (Of course, this advice could be applied generally before wading into the world of cryptocurrencies.)
He said people should check how many reviews/downloads the app has, as well as who authored and/or published it.
Echoing the scam victim Jayden, Sanders said this step alone isn’t a catch-all because fake reviews are a thing.
Another pitfall to be on the lookout for are mining apps, where he commonly sees scams executed.
“I think a lot of this boils down to people wanting to get something for free, and these are often people that aren't well-educated about cryptocurrencies,” he said.
For example, a mobile phone is not going to produce results of a GPU or ASIC when it comes to mining, Sanders points out. While this doesn’t mean all phone mining is fraudulent, and there is quasi-legitimate but functionally different mining, it’s a very good reason to take a pause.
Generally, it all boils down to doing your research. Understand basic security such as two-factor authentication, what suspicious files look like, and, Sanders said, follow this guide he helped author.
“There are countless ‘influencers’ that talk about little beyond price and buzzwords, yet fail in their social responsibility to share this sort of educational stuff,” said Sanders. “Education for a newcomer should be about the tech and security, not ‘price predictions.’”
“Ultimately, if something seems too good to be true, it is.”