Attackers are not only interested in mobile banking credentials and credit cards information to get access to victim’s funds, but also in cryptocurrency. Recently, I found four fake applications on Google Play Store that tried to trick users either in to luring their credentials or impersonating cryptocurrency wallets. These threats imitate legitimate services for NEO, Tether and MetaMask. I reported these apps to Google security team and they were promptly removed.

Figure 1. Fake cryptocurrency apps

Functionality

These four apps are divided in to two categories. The first one is phishing category where malicious app after launch requests from the user his private key and wallet password. That is the case for fake MetaMask app.

Figure 2. Fake MetaMask app

The second category are fake wallets. In this category I found three more apps created by the same attacker – NEO Wallet, Tether Wallet.

Fake cryptocurrency wallets do not create new wallet by generating public address and private key. These malicious apps only display attacker’s public address without user’s access to private key. Private key is owned by the bad guy. Once the fake app is launched, user thinks that app already generated his public address where user can deposit his cryptocurrency. If user send his funds to this wallet, he is not able to withdraw them because, he doesn’t own private key. For this purpose, I created two different accounts, however in both of them app assign me the same public address, including the QR code.







Analysis

Analysis of fake Cryptocurrency wallets discovered on Google Play Store.

Disclose of two fake wallets on official App Store Demonstration of the apps functionality Legitimate VS fake wallets Code analysis How to stay safe

Conclusion



What concerns me the most is that these fake wallets were created using Drag-n-Drop app builder service without any coding knowledge required. That means that – once Bitcoin price rises and starts to make it into front pages – than literally anyone can “develop” simple but effective malicious app either to steal credentials or impersonate cryptocurrency wallet.



References

More information you can find in my cryptocurrency research – Crypto currency scams on Android.

IoC

Package name Hash com.appybuilder.granvillee36.usdt 94685A6459C722BFF75189B9BC710A50 com.appybuilder.granvillee36.neotracker BBE0CE5159B96076A639EEFA055D147F com.appybuilder.hanykhaled459.neotracker CFF4348CE04396B76D7ADD2070E6E79E