Fake apps and websites take more than $4.3 million from iPhone and Android users
Both iPhone and Android users need to make sure that they do not have any of the 249 fake Crypto Wallet apps mentioned by Trend Micro on their phones. These apps pretend to be legit cryptocurrency wallet apps but have led to the theft of more than $4.3 million. Pretending to be from legit crypto wallet app companies, emails are sent out to potential victims containing "malicious links" that lead iOS and Android users to visit listings for the attackers' fake apps.
Do you see the brilliance in this process? By sending victims to a page where their malware-laden apps can be installed, the attackers can avoid having to list their fake apps in the App Store or Google Play Store where they could get banned. And to get iOS and Android users who do have a legit crypto wallet app on their phone to tap on the link, these emails pretend to be from those real crypto wallet apps telling recipients that the current version of their crypto wallet app is out of date and that they must tap on the link to install the latest version.
This email tries to get the victim to click on a link to a fake website
The hackers also created fake websites designed to look like the ones used by real crypto wallet apps and have domain names slightly different than the real ones. These fake websites appear high up in search results and are another way the criminals get their victims without having to list apps in the App Store or Google Play Store. Another ploy used is to post fake links on social media sites that show fake support messages. Again, the goal is to get victims to visit a fake website.
Real crypto wallet website on the left, a fake one created by the hackers is on the right
The Trend Micro Threat Research team found 249 fake crypto wallet apps including imToken, Bitpie, MetaMask, Trust Wallet, and TokenPocket. The apps were found on phones used by victims in the United States, France, Germany, Australia, New Zealand, and Japan.
The fake apps and fake websites steal victims' mnemonic phrases. These phrases are a series of unrelated words, usually 12 to 24 words in length, that are generated when a crypto wallet app is created. The mnemonic phrases are used to recover a user's cryptocurrency if a wallet is lost or damaged. But once a mnemonic phrase is typed into one of the fake websites or apps, it goes straight to the hackers.
When the mnemonic phrase is stolen, the hacker will transfer the victim's cryptocurrency to multiple disposable wallets. Trend Micro's Threat Research team discovered that $4.3 million passed through one of the disposable wallets. Since most hackers have multiple wallets that are used in these endeavors, we can assume that more than $4.3 million has been stolen.
So what can you do to avoid becoming a victim of this scam? Trend Micro makes the following suggestions:
- Only download apps from the Google Play Store and the Apple App Store.
- If you observe any suspicious behavior when updating a crypto wallet app, immediately terminate the update and uninstall the app.
- To confirm the legitimacy of a crypto wallet app, the first time you transfer money, send only a small amount.
Things that are NOT allowed: