It’s commonplace now to regularly visit Google Play or the Apple Apps store and download new apps for some use or another. There’s an app for everything after all. This is also true for the cryptoverse, where cryptocurrency apps or dApps have flourished in number over the past year as the bull market has started its run. So many it’s hard to keep up with what’s going on. The sheer speed of development in the crypto app space also makes it a prime target for scammers who continue to exploit the trust that mobile phone users place in ubiquitous app marketplaces like Apple’s App Store and Google Play. Here’s what to watch out for and our tips scam wallets.
Fake Trezor App
The fake Trezor app story came to light when it hit the news that one unfortunately guy had lost 17.1 Bitcoin when he went to the Apple Store and downloaded what he thought to be the app for the popular Trezor Hardware Wallet. The app was a fake set up to perpetrate a phishing attack. Phishing is well known in the world of email where internet users are well-schooled in not clicking on links in emails that are unsolicited or come from a foreign source. The 21st century version of mama telling you never to speak to strangers.
In the world of crypto, apps are a common medium of phishing attacks designed to get the user to input their private keys and seed phrase that used to secure access to coins on the blockchain.
In this case, as soon as the unsuspecting Trezor hard wallet user entered his private keys to set up the fake Trezor wallet app, his Bitcoin was gone forever. Apparently, criminal app developer is now a job title. The fake app displayed hundreds of 5 star ratings which added to its appearance of legitimacy and even linked to the actual Trezor website.
It’s reported that as many as 8 fake Trezor apps have appeared on the Google Play store from time to time.
Fake SafePal App
Fake app scams seem to keep popping up like pimples on the proverbial crypto butt. Probably because they’re pretty successful at duping crypto users out of their precious coins. Earlier this year SafePal, a crypto wallet developer, was warning customers on twitter of a fake SafePal wallet app on Google Play. There was no way of distinguishing from the icon alone which was the fake and which was the genuine SafePal app.
If these types of scams are commonplace, the question becomes one of whether app marketplaces are as closely curated and scrutinised as companies like Apple and Google might claim. Especially when some of the icons look suspiciously similar to the real deal? Apparently, the apps are put forward and pass through app market place review processes and then are morphed by developers into fake crypto wallets that impersonate real brands.
Electrum wallet phishing attack
In 2018 a hacker famously targeted Electrum wallet in a cleverly designed phishing attack. The story goest that the hacker created and sent to all Electrum Wallet users a fake message prompting them to perform a security upgrade for the app. The message was disguised with a GitHub site URL, which made it all appear legitimate. The real purpose of the upgrade was to install a client that collected the user’s private keys so the hacker could steal their crypto. The hacker reportedly stole 243 BTC, which in 2018 was worth around $1M but in today’s dollars is more like $8.5M.
These are just some of the many examples of fake crypto wallets that keep popping up in app market places. This reddit forum, organised to get the word out about crypto wallet app scams, reports fake Exodus wallets, Cardano wallets and Trust Wallets, so user beware.
How to avoid being scammed by fake crypto wallet apps
With app market places unlikely to take on more responsibility for policing the growing number of fake crypto apps in their stores, the onus is on you to protect yourself from crypto app phishing attacks. Here are some things you should do before downloading ANY crypto app from Apple’s App Store or Google Play:
- google the name of the app with the words ‘scam’, ‘phishing,’ ‘fake’ or ‘hack after it. See what people are saying. Get onto reddit and do the same thing.
- don’t search for the app in the app store. Go to the developers website and click through to the app from there. Pay attention to the developer’s website address!
- don’t trust the 5 star review ratings in the app store. Bots can be used to manufacture fake 5 star reviews. Click on the reviews and see what they say.
- check the app developer – does this align with the developer’s website? Google the developer’s name. Cross check it.
There are some other simple strategies that you can use to protect against total loss if you are the unfortunate victim of a crypto scam. Avoid putting all of your coins in one wallet and keeping your crypto fortune on a hardware wallet air gapped from the internet are two of these strategies.
This doesn’t mean that you can’t put that crypto to work – Exodus wallet and Trezor have a new partnership that allows users of the Exodus mobile crypto wallet to securely stake coins from cold storage. We expect these types of offerings to increase as the cryptoverse fights back against damaging scams and hacks that cost the crypto community millions and can turn the victims off crypto for a lifetime.