Two Crypto-Stealing apps on Google Play Store abused by hackers

March 17, 2020
Google Play Store cryptomalware google play mobile app malware antimalware

Cyber-security researchers have just discovered two (2) malicious crypto-stealing apps in the Google Play store that have been downloaded over 1,000 times.

The two fraudulent apps are “Trezor Mobile Wallet” and “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether,” and security researchers note that both apps share an “overlap in code and interface.”

The fake Trezor app “appeared trustworthy at first glance,” it was uploaded to Google Play on May 1st, the app mimicked the actual Trezor app with its images and descr

iption, not to mention listing the developer as “Trezor Inc.”

Fortunately, the fake Trezor app turned out to be a bust in the sense that it could not access a user’s actual Trezor wallet due to the security protocols put into place by the hardware wallet company.

However, the app was still able to collect email addresses, which could possibly be used in future phishing attempts. The “Coin Wallet” app, which was uploaded to Google Play on February 25th, purports to let users create a variety of cryptocurrency wallets, but in reality, it sends any deposited virtual currency into the wallets of the would-be thieves instead.


The two apps combined have been downloaded more than 1,000 times.


Reddit users reported the fake Trezor app a couple of weeks ago, but the two apps weren’t removed until the day after security researchers notified Google Play of their existence.

These two fake cryptocurrency apps are just the latest bit of malware to be booted from the likes of Google Play and the Microsoft Store. Back in February, researchers found a new “clipper” malware in the Google Play store called Android/Clipper.C.

The malicious “clipper” app was disguised as the popular MetaMask app for Android devices.

Android/Clipper.C would substitute the attacker’s wallet address when the user copied and pasted a wallet address to send cryptocurrency to. Researchers also found eight cryptojacking apps in the Microsoft Store earlier this year.

The eight apps were FastTube, Downloader for YouTube Videos, Battery Optimizer (Tutorials), Clean Master+ (Tutorials), VPN Browser+, Fast-search Lite, Findoo Browser 2019, and FindooE Mobile and Desktop Search.

The cryptojacking apps would launch a Google Tag Manager when started, which would then connect to a JavaScript library to start illicitly mining Monero. After security researchers notified the app stores about the presence of the malware, the malicious apps were removed.

About the author

Leave a Reply