Researchers from ESET found two malicious crypto-stealing apps in the Google Play store that have been downloaded over 1,000 times.

The two fraudulent apps are “Trezor Mobile Wallet” and “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether,” and security researchers note that both apps share an “overlap in code and interface.”

How they work

The fake Trezor app “appeared trustworthy at first glance,” according to Lukas Stefanko of ESET.

Uploaded to Google Play on May 1st, the app mimicked the actual Trezor app with its images and description, not to mention listing the developer as “Trezor Inc.”

Fortunately, the fake Trezor app turned out to be a bust in the sense that it could not access a user’s actual Trezor wallet due to the security protocols put into place by the hardware wallet company.

However, the app was still able to collect email addresses, which could possibly be used in future phishing attempts.

The “Coin Wallet” app, which was uploaded to Google Play on February 25th, purports to let users create a variety of cryptocurrency wallets, but in reality, it sends any deposited virtual currency into the wallets of the would-be thieves instead.

The two apps combined have been downloaded more than 1,000 times.

Reddit users reported the fake Trezor app a couple of weeks ago, but the two apps weren’t removed until the day after ESET notified Google Play of their existence.

More crypto malware apps

These two fake cryptocurrency apps are just the latest bit of malware to be booted from the likes of Google Play and the Microsoft Store.

Back in February, ESET researchers found a new “clipper” malware in the Google Play store called Android/Clipper.C.

The malicious “clipper” app was disguised as the popular MetaMask app for Android devices.

Android/Clipper.C would substitute the attacker’s wallet address when the user copied and pasted a wallet address to send cryptocurrency to.

Researchers at Symantec found eight cryptojacking apps in the Microsoft Store earlier this year.

The eight apps were FastTube, Downloader for YouTube Videos, Battery Optimizer (Tutorials), Clean Master+ (Tutorials), VPN Browser+, Fast-search Lite, Findoo Browser 2019, and FindooE Mobile and Desktop Search.

The cryptojacking apps would launch a Google Tag Manager when started, which would then connect to a JavaScript library to start illicitly mining Monero.

After ESET and Symantec notified the app stores about the presence of the malware, the malicious apps were removed.