Discovering Fake Trezor, MetaMask, and MyCrypto Android APKs

These fake apps will get you if you’re not careful. Always verify at a trusted source.

There are a lot of different ways you can lose your cryptocurrency, even if you think you are being super safe with your secrets. Today we’ll dive into a few malicious APKs in the Android ecosystem that are targeting cryptocurrency users.

For each of these APKs, I used the jadx decompiler to see what the code is doing.

A fake Trezor wallet — com.trezorwalletinc.cryptocurrency

Phishfort notified me of a fake Trezor app in the Google Play Store. We decided to investigate.

The Google Play Store product page

I wanted to see if the app was Trezor-branded throughout, so I downloaded the app using BlueStack4 and gave it a whirl.

Surprisingly, the splash screen is branded differently, but the icon is still branded as “Trezor Wallet.”

The splash screen on the left and the home screen on the right after signing up with an email and password.

This piqued my interest, as they are using the Trezor branding to get downloads but are offering a completely different product (branding wise).

I ran the APK through HTBridge and their report told me it contacted a foreign domain coinwalletinc.com , which was registered earlier this year.



Domain Name: COINWALLETINC.COM

Registry Domain ID: 2355647446_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.namecheap.com

Registrar URL:

Updated Date: 2019-01-26T12:53:03Z

Creation Date: 2019-01-26T12:51:09Z

Registry Expiry Date: 2020-01-26T12:51:09Z

Registrar: NameCheap, Inc.

Registrar IANA ID: 1068

Registrar Abuse Contact Email:

Registrar Abuse Contact Phone: +1.6613102107

Domain Status: clientTransferProhibited

Name Server: DNS1.NAMECHEAPHOSTING.COM

Name Server: DNS2.NAMECHEAPHOSTING.COM

DNSSEC: unsigned

URL of the ICANN Whois Inaccuracy Complaint Form:

>>> Last update of whois database: 2019-05-09T15:45:34Z <<< $ whois coinwalletinc.comDomain Name: COINWALLETINC.COMRegistry Domain ID: 2355647446_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.namecheap.comRegistrar URL: http://www.namecheap.com Updated Date: 2019-01-26T12:53:03ZCreation Date: 2019-01-26T12:51:09ZRegistry Expiry Date: 2020-01-26T12:51:09ZRegistrar: NameCheap, Inc.Registrar IANA ID: 1068Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: DNS1.NAMECHEAPHOSTING.COMName Server: DNS2.NAMECHEAPHOSTING.COMDNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2019-05-09T15:45:34Z <<

I used a file manager and transferred it to my other machine to unpack it. Using jadx decompiler and analysis tools, here’s what we found:

Since you need to use the app with an email and password, which suggests the wallet is custodial, I decided to look into sources/com/wallet/cryptocurrency/ActivityPackage/LoginActivity.java and I noticed a couple of things…

When you try to log in, it sends a request to coinwalletinc.com/nf5/index.php — which has a particular unprofessional default JSON response:

They are also exposing their error_log , which can be handy at gaining some intelligence — we know they are using a MySQL database to store things, and using the PHP mysqli API to interact with it. We can also guess that the earliest hit was 2019–02–01.

Anyway, after it authenticates you, it populates some strings in the app for your wallet balances, email, and name.

Throughout the code, in multiple files, it looks like they forgot to alter some of the StringRequest parameters, as the URL is a placeholder. For example:

See line reference 209

Pretty bizarre — surely this wouldn’t even pass UAT.

Anyway, I look to my receiving BTC address because “I want to start using this as a wallet because it has a really nice UI” …

It looks like the receiving address is hard-coded in the application to display and set the text of the clipboard.

Notice the seciliKod parameter — 1Lsj9BGpB3Nv15id9FWP71SRKKUFJPepfP0

In fact, there is a method stub to create an address for the user, but it is only a stub.

The method stub for creating a user address

I created an account, grabbed a list of receiving addresses, uninstalled the app, reinstalled the app, created a fresh account, and grabbed a list of the receiving addresses. (The tickers aren’t incorrect, it’s how the app is showing them to me. Most of the addresses are invalid for their given ticker).

BTC - 1Lsj9BGpB3Nv15id9FWP71SRKKUFJPepfP0 DOGE - 17jAe7hTZgNixT4MPZVGZD7fGKQpD9mppi ETH - DGf6dT2rd9evb4d6X9mzjd9uaFoyywjfrm BCH - Lg64xV4Mw41bV3pTKc5ooBJ4QZ81gHUuJ6 DASH - qq9cjckr3r9wl5x4f3xcfshpcj72jcqk9uu2qa7ja2 ZEC - Xu6mkZNFxSGYFcDUEVWtUEcoMnfoGryAjS LTC - 0x69919d83F74adf1E6ACc3cCC66350bEA4b01E92C XRP - t1JKPTwHJcj6e5BDqLp5KayaXLWdMs6pKZo USDT - raPXPSnw61Cbn2NWky39CrCL1AZC2dg6Am XLM - 0x69919d83F74adf1E6ACc3cCC66350bEA4b01E92C TRX - GDZ2AT7TU6N3LTMHUIX6J2DZHUDBU74X65ASOWEZUQGP7JMQ237KDBUX ADA - TAm4fPA6yTQvaAjKs2zFqztfDPmnNzJqi2 NEO - DdzFFzCqrhswWLJMdNPJK8EL2d5JdN8cSU1hbgStPhxDqLspXGRRgWkyknbw45KDvT2EJJhoPXuj2Vdsj6V6WWM5JABoZ4UhR7vnRopn

Since I cannot find these strings hardcoded (except the BTC one mentioned earlier), I decided to revisit the SignupFragment.java file to see where it’s getting the addresses.

The method that actions a signup