Google moved quickly to kick three fake bitcoin wallet apps from its Google Play marketplace earlier this month after researchers at mobile security firm Lookout discovered them.
The apps pretended to be legitimate bitcoin wallets, but instead were fake. Apps were designed to trick sellers to provide the attacker’s bitcoin address (not the legitimate seller’s) to buyers so payments would go to the attacker, according researchers.
Collectively the three apps were downloaded 20,000 times by users. The apps were identified as “Bitcoin mining”, “Blockchain Bitcoin Wallet – Fingerprint” and “Fast Bitcoin Wallet.”
Each of the apps had been on the app store for several months before Google removed them. Fast Bitcoin Wallet had been on the Google Play the longest, available since June and downloaded 5,000 times. The Blockchain Bitcoin Wallet – Fingerprint app was the most popular, downloaded 10,000 times.
Lookout said that criminals are exploiting increased interest in the crypto currency. The value of bitcoin has jumped 1,900 percent over the last 12 months, according to Coinbase. On Thursday, one bitcoin was worth $16,100, up from $8,100 the previous month.
“Bitcoin values have soared in the last few weeks, with record highs of over $18,000. Of course, this means attackers want in on the action,” Lookout said.
The ejection comes a week after Apple removed a knockoff version of the popular MyEtherWallet.com app from the iOS App Store. A report from TechCrunch estimated the fake app was downloaded 3,000 times.
Google removed the apps promptly after Lookout researchers notified the company, researchers said. Lookout has dubbed these type of bitcoin stealing programs as “PickBitPocket” apps.
A cursory review of third-party Android app stores revealed these apps are still available for download.
Each of the apps worked the same way. Each prey on people selling goods or services that accept bitcoin payments.
“The seller provides a bitcoin address to the buyer for the payment. If the seller is using a PickBitPocket wallet app, he will instead send the attacker’s bitcoin address to the buyer, in effect routing the bitcoin payment to the attacker,” Lookout describes.
Based on an analysis of the apps, the three share one common author, said Christoph Hebeisen, manager of security research and response at Lookout in an interview with Threatpost.
He added that these type wallet apps are extremely hard to identify as malicious.
“These apps don’t do any of the technical things that Google would identify as malicious. They don’t exfiltrate personal information or contact malicious servers. All they do is tell a user who owes them money what their bitcoin address is. From a technical level this doesn’t look like a malicious act at all.”
This past year Google has made strides to shore up the Android ecosystem, from the Google Play marketplace to devices themselves.
In May, Google introduced Play Protect, a new security feature that maintains some oversight on content downloaded to Android devices. For example, previously downloaded apps can be continually scanned for malicious behaviors as a counter to developers who push benign apps to Google Play that later connect and download malicious components.
Despite gains, reports of malware making it into Google’s marketplace continue.
Earlier this month the Google Play Protect team pulled spyware called Tizi found on apps inside the Google Play marketplace. In November, Google removed a phony adware-laced WhatsApp download from Google Play that was downloaded more than one million times. In August, three messaging apps in the Google Play store contained spyware called SonicSpy were also removed.
“As bitcoin captures broader interest, this means more people may be purchasing the cryptocurrency, or looking for mobile wallets to store their coins. Individuals should be vigilant in choosing a secure wallet,” Lookout said.