Fake Crypto Apps: How To Spot Them and Keep Your Assets Safe
KEY TAKEAWAYS: |
— Official app stores also include fake and malicious apps designed purely to steal your crypto. — While downloading an app from an official source may seem safe, sometimes fake apps will aim to extract your private keys or seed phrase from your smartphone. — Exploring web3 via the Ledger ecosystem will keep you safe from threats to your web2 device. Ledger devices sign transactions offline and away from your potentially compromised smartphone. |
Smartphones present tempting troves of data for hackers. They can carry everything from someone’s most personal data to crypto assets via mobile wallets. One of the most popular methods for attackers to steal user crypto funds, passwords, and other data is via fake and malicious smartphone apps.
Incredibly, most smartphone users stop using apps just 72 hours after downloading them. And unfortunately, these same users rarely uninstall the apps. This presents a significant opportunity for an attacker to deploy malicious apps to mobile app stores.
Fake Crypto Apps: How Does The Scam Work?
Well, fake crypto apps all work a little differently, but they are all after the same thing: access to your crypto wallet. Usually, there are three main ways to do this: via malware, spyware or social engineering. Let’s see how this works.
Fake Crypto Apps That Install Malware
Sometimes, a fake app may not immediately ask for your sensitive information. Instead, it may seem benign, and rely on installing malware on your device instead. To explain, with malware a hacker can change the screen of your web2 device, such as the smartphone you downloaded an app on. This can lead to a range of problems.
For example, malware could interfere with the native clipboard of the phone. Imagine you try to copy and paste a cryptocurrency address into a wallet app. With malware, a hacker can replace the intended wallet address with their own. As such, the unsuspecting user would send their crypto assets to the attacker’s wallet.
Alternatively, malware could change what a legitimate transaction looks like on your phone too. You think you’re initiating a transaction on a trusted platform, but instead, you’re sending funds directly to the hacker.
Fake Crypto Apps That Install Spyware
Next, hackers may use fake apps to download spyware on your smartphone. To explain, if you’re using a software wallet, your private keys are stored on your web2 device, your smartphone. This leaves your private keys vulnerable to spyware.
Using a fake app, a hacker can install surveillance software, otherwise known as spyware, to try and find either your private keys or secret recovery phrase wherever they are stored in the memory of your smartphone. If a hacker manages to extract your SRP, they have access to your entire wallet. That said, they may not strike immediately. Many hackers will wait for the opportune time to strike, draining the wallet only when it’s full of valuable assets.
Malicious Crypto Apps That Use Social Engineering
Sometimes malicious crypto apps aren’t as technically complex, they use your emotions instead. For example, a fake crypto app may be posing as an official wallet app, and lull you into a false sense of security. Without any hacking skills needed, the bad actor gets access to the entire contents of your wallet. But how.
Well, typically, these malicious crypto apps will create an app that operates much like a phishing site. It shows you an interface you are familiar with and prompts you to sign in with your login details. Perhaps it goes a step further, claiming that you need to input your secret recovery phrase to regain access to your account.
While these scams are less sophisticated, don’t underestimate them. Once a hacker has access to your secret recovery phrase, it doesn’t matter how they managed it. Your digital assets are theirs now!
Fake Crypto Apps: The Most Common To Watch Out For
There are a few ways hackers can use malware, spyware, or social engineering to access your wallet though. So let’s look at some of the most common ways fake apps play a part in crypto scams.
Fake crypto exchange apps
One of the most common fake apps you may encounter is a fake crypto exchange app. Mostly, these malicious apps are aiming to discover your login details for the official platform. They provide you with a legitimate-looking login page and you fill in your details. When the platform doesn’t let you in immediately, you wonder why.
At this point, it’s already too late. The hacker is on the official platform, filling in your login details and draining your account. It’s an all too familiar story. This is why checking the official website of a platform is so important. Another variation of this scam involves setting up a mobile app before the official exchange launches its own. For example, crypto exchange Poloniex did not have a formal mobile exchange application until July 2018. However, before then, countless fake Poloniex mobile apps flooded the app store, with many of these hackers finding great success.
Fake Crypto Mining Apps
Another form of a malicious crypto app is a kind that imitates mobile mining wallets. It’s important to note that you cannot mine cryptocurrencies from a smartphone; especially one you’re using for apps, games, and everyday uses.
Typically, these apps pretend that their users are mining cryptocurrency, allowing the app to operate in the background. In return, they receive “coins” which show in the app. But these coins aren’t worth anything. Most of the time, they aren’t even crypto coins, they are more akin to points in a game. There’s no way to withdraw funds and users don’t realise the app has an ulterior motive.
In reality, the apps are running malware or spyware on the smartphone, possibly searching for a user’s sensitive information or altering the code for other apps on the device. Other versions of malicious mining apps may just display ads to reap a small profit.
Often, it’s difficult to assess the real motives of these apps, with apps such as Bee and Pi causing controversy in the community as to whether they are truly mining coins or infecting users with malware. Either way, it’s best to steer clear of these types of apps.
Fake Wallet Apps
Finally, another common fake app is a wallet app. These are typically the type of fake apps that make solid use of social engineering. In short, they convince you to download a malicious imposter app posing as Ledger Live, Metamask mobile, or similar. These can be some of the most dangerous fake apps to come across.
Luckily, most wallet providers make it easy for you to check the legitimacy of the app you are using. Make sure to check the official website of any wallet provider before downloading and installing any app.
What You Can Do To Mitigate Risks Of Fake Crypto Apps
The takeaway is that many applications in some of the most popular app stores can be developed and released by hackers targeting unsuspecting victims. There are several steps that users can take to mitigate such vulnerabilities:
Use a Hardware Wallet
Hardware wallets help protect you from malware and spyware that may be operating on your smartphone. By operating separately from your smartphone, Ledger devices can protect you from online threats.
To explain, Ledger devices sign transactions offline. As such, they are immune to online threats such as malware and spyware. Not only do they protect you from spyware and malware on your web2 device, but they also protect you from physical hacks. This is because they generate and store private keys on a secure element chip; the same chip used in bankcards and passports.
While hardware wallets can protect you from malware and spyware, they cannot protect you from social engineering. Thus, if you want to protect yourself from all fake crypto apps, you’ll need to pay attention to the following advice.
DYOR
The best thing you can do to keep yourself safe is to research effectively. First of all, you want to make sure whenever you download an app, you only ever use an official app store. In the same vein, you should always check that the app you are installing is the correct one. To ensure this, check the publishers of the app and its official website. An official website will always confirm the existence of a legitimate app, and will often warn you if there isn’t one.
Next, you should always check the total number of downloads. Apps with minimal downloads and reviews should be approached with caution. After that, you should read the reviews of any app you download and install. Fake apps will often be flagged by other users, either on the official app store or on third-party review platforms.
Don’t Trust, Verify
Finally, you should never blindly trust any app. Always double-check wallet addresses when sending or receiving with your hardware wallet. If something looks too good to be true, it probably is! So make sure you verify that the transaction you sign is doing what you expect it to.