ESET also discovered 13 fake cryptocurrency wallet apps on Google Play, which were withdrawn in January.
HIGHLIGHTS
- Attackers used to target crypto wallet app distributors.
- Among the apps that were copied were Coinbase, MetaMask, and OneKey.
- Users of cryptocurrency should use caution when transferring and holding their funds.

Apps that look like crypto wallets are being used to steal money from people all over the world. As part of a complicated plan, both Android and iOS users could use the apps. In this case, malicious apps were found to be posing as crypto wallets like Bitpie and OneKey and stealing money from people who used them. Coinbase, imToken and MetaMask were some of the fake wallets. The trojanized crypto wallets were first found in May 2021, and they were mostly used by Chinese people at first. However, as more and more people use cryptocurrencies, the malicious techniques used by attackers could be used by people all over the world, which could make them more dangerous.
An internet security company called ESET says it has found malicious crypto wallets that can be used by both Android and iOS users, but they’re not safe.
ESET did a lot of research and found a sophisticated scheme run by some unknown hackers. They found more than 40 websites that looked like popular crypto wallets. These websites are aimed at people who use their phones and try to get them to download apps that are bad for their money.
People who speak English on their phones could be the target of this scheme, even though the first evidence suggested that it was aimed at people from China. Read also; Does Galaxy Book 2 Pro support Windows Hello?
Since most of the fake websites and apps they distribute are in English, they aren’t just trying to get people in China to use them.” The malware analyst at ESET told Gadgets 360 that it could affect anyone around the world if they could speak English.
In May 2021, the first trace of the way the trojanized wallets were spread was found. According to the report, the attackers used different Telegram groups to get people to help them spread the malicious apps, so they could make money.
People were getting a 50% cut of the money they stole from the wallet, according to the information the researchers found. To get more people to help spread the malware, this is what they did.
In some Facebook groups, the researchers saw that Telegram groups were shared and promoted. They were looking for more people to distribute the malware. It could one day widen the range of malicious attacks by getting people to act as “middlemen” for attacks on individuals. Read more; Coinbase Facing Lawsuit Over Unlicensed Crypto Asset Sales
They said malware apps were pretending to be legitimate crypto wallets, like imToken and Bitpie. MetaMask, TokenPocket, and OneKey were some of the fake crypto wallets.
There are a lot of different ways that the apps work, the researchers said.
On Android, apps were made for people who didn’t already use crypto and didn’t have a legitimate wallet app on their phones. The wallet apps were using the same package name to make it look like they were the same as their original counterparts. If that’s not enough, they were signed with another certificate. This means that these apps can’t overwrite the official wallet on the phone.
However, on iOS, the malicious crypto wallet apps could be installed at the same time as the legitimate ones. In order to get the malicious apps, you’d have to get them from a third-party source. The official version could come from the App Store.
Once the apps were installed, the researchers found that they could steal the seed phrases that are generated by a crypto wallet to get to the crypto that is in that wallet. This meant that they could get to the crypto. These words were shared with the attackers’ server or with a secret Telegram group.

ESET researchers also found 13 fake wallet apps on the Google Play store that were removed in January because they asked for them to be removed. The apps looked like the real Jaxx Liberty Wallet app and were downloaded more than 1,100 times.
They tell people to get apps from official sources, like Google Play for Android and Apple’s App Store for people who use iPhones and iPads. Users should also quickly uninstall apps if they turn out to be dangerous. When iOS apps are installed, users should also delete the configuration profile of malicious apps by going to Settings > General > VPN & Device Management after the apps are set up.
Users who want to get into the crypto world and set up a new wallet should only use devices and apps that are known to be safe before they move any of their money.
In the report, Stefanko says that because the attackers already know the history of all of the victim’s transactions, they might not take the money right away. Instead, they might wait until more coins are deposited to get a better chance.