Apr 23, 2021

Trust No One: The Scammy World Of Crypto Apps

You thought fraudulent crypto websites are bad? Well fake crypto apps are much worse. Find out what are all the sneaky ways you can lose your money due to an innocent looking app.

We cannot imagine a world without apps. They are omnipresent life hacks designed to make our day a tiny bit easier. They are easy to use and always at our fingertips. We bestow upon them extreme trust, giving them permissions and data access no website ever gets. The trigger of this trust are user reviews and app store vetting. The trust makes our lives easier, but is also gives us unprecedented exposure to criminals looking to steal our funds. So what can go wrong and how can we protect ourselves?

Stealing money and login credentials

The single biggest point of failure in the above mentioned trust chain is app store vetting. There were and are numerous cases of scammy apps making it into Apple, and especially Google app stores. This is acutely painful, as we and our phones are conditioned to unconditionally trust the official app stores. Fraudulent apps cover all possible crypto areas from wallets to exchanges. They use bots to boost their reviews and crowd out the one-star ones they are getting from prior victims. They want to either get your private keys, seed phrases, exchange login data, or your crypto outright.

Protecting yourself is by no means easy. To make sure you're downloading a legit app, you need to establish your own chain of trust. Start from a social media profile or website with unquestioned integrity. A verified Twitter profile is often a good start, or the website for the biggest players. Then follow links until you find one to the official app. Even then, make sure to verify the number of app downloads and the reviews. Any of these being implausible should set an alarm off in your head. Setting up 2-Factor-Authorization for your exchanges and wallets is always something which makes any such scam much much harder.

Infecting your device with malware

A few months ago the crypto world was rocked with news of the ElectroRAT malware attack. It was an elaborate network of Windows, macOS and Linux apps, written from scratch with the intent of stealing sensitive data from your computer. It was especially nasty, as the apps really worked, rendering users oblivious to their hidden purpose. The apps did not borrow any code from known malware, flying under the radar of antivirus software for more than a year.

The same issue may happen now, both with laptop and mobile apps. The tricky part is such a malware attack can come from any app. Avoiding it is non-trivial. A possible solution would involve using legit apps only from major companies. A large corporation has too much to lose to conciously inject malware into its products. As much as it pains us to say this, trusting an app from a crypto startup might be the risky play.

The fake Metamask

This one is now dormant, but it was especially insidious and highlights a different trust trap. Metamask is the most popular crypto wallet, a de facto market standard. It is most often used as a laptop browser extension, though the mobile version is gaining popularity. For a period of time users googling „Metamask“ saw this:

Google search for Metamask with fraudulent ad on top

The fraudulent Google Ads links led to fake Metamask websites whose URL was a modified version on the original. If a use imported his credentials from an already existing metamask wallet, the phishing website stole his data and emtpied his crypto account.

Fraudulent MetaMask phishing website

The Google Ads link looked suspicious. But how often do we just click on the top search result without much or any inspection? Such an inconspicous mistake might have grave financial consequences. The easy solution is to verify found URLs in third party sources. Googling „what is the metamask website“ would have saved many people a lot of money.

As you see, criminal ingenuity has few limits. Limited trust and attention to detail are essential to avoid their traps. It is regretful our task is not made easier by glitches in legitimate crypto apps. One such example is Polkawallet, which was for a long period one of the wallets endorsed by Polkadot. If you look at its Google Play Reviews, you will see numerous users who allegedly lost money using it. The inadequacy of legitimate solutions serves only to obfuscate the app landscape and make finding trust harder. Such are the travails of people exploring new and rising markets.