In spite of market volatility, crypto wallet adoption has exploded as new cryptocurrencies, NFTs and tokens are launched. Fraud and attacks on crypto wallet apps have also gone up, so in this blog we’ll discuss the top 5 attacks aimed at crypto wallet apps and how to solve them.
Yep, Crypto Wallets Get Hacked
Here’s an example of how a crypto wallet security vulnerability can manifest itself into real user pain and loss. Say, a user downloaded a Trojan app on their device. Once installed, the trojan app steals $600,000 worth of Bitcoin from the wallet app. Ouch! This very thing is what the Android Trojan called “Sharkbot” does. Sharkbot initiates money transfers from crypto and banking apps on compromised devices, bypassing verification systems. Adding insult to injury, the malware also prevents its users from deleting it.
In addition to using malware, hackers often try to exploit the interfaces that connect the crypto wallet to the backend service supporting the app. A white hat hacker who probed the security of 30 apps from large global financial institutions and cryptocurrency companies found that in 99% of the mobile apps, researchers reverse engineered contained hardcoded API keys and tokens such as usernames and passwords to third-party services.
Why Crypto Wallet Security and Fraud Prevention
If you make a crypto currency wallet, you may have fraud detection tools. See the video below for why fraud prevention is so important in crypto.
Welcome to the first episode of Industry Security Knowledge! Visit https://www.appdome.com to learn more on how to secure your apps and protect from fraud. #fraud #crypto #cryptotok #wallet #attack #videoseries #appdome
Top 5 Attacks Aimed at Crypto Wallet Apps
Here are the top 5 attacks aimed at crypto wallet apps and how you can use Appdome to solve them. See the video for a summary.
Welcome to episode 2 of Industry Security Knowledge! We walk you through the top attacks aimed at Crypto Wallets and how to protect against them. For further information, visit https://www.appdome.com/blog/top-5-attacks-aimed-at-crypto-wallet-apps-and-how-to-solve-them/ #cryptotok #cryptowallet #appdome #videoseries #mobileapps #appsecurity
1. Stealing the Locally Stored Passphrase or Private Key used by Crypto Wallet Apps
There are a lot of user tradeoffs between a custodial and non-custodial crypto wallet apps. You might want greater control over your passwords or passphrase or the convenience of resetting your passwords or passphrase via the custodial provider. From a cyber security perspective, the risk inherent in that choice between custodial vs. non-custodial wallet apps is the same – where are the passphrase or keys stored and do other applications on the mobile device have (or can get) access to these keys, passwords or passphrases. Unencrypted data in the application sandbox or SD card, in preference areas like NSUserDefaults, or in external areas such as clipboard, give hackers the ability to harvest that data for their own malicious purposes. To resolve, we typically recommend application-level encryption, as a way of protecting locally stored data, no matter where the data resides i.e., internal to the app itself, in preference areas, or in clipboards.
2. Harvesting Passphrase or Private Key Dynamically
Another way to steal passphrases and crypto wallet keys is to do so dynamically as the user enters the values into the crypto wallet app. From a hacking perspective, there are three ways of achieving this: (1) an “over-the-shoulder attack” which basically involves sitting next to the user and literally watching them enter the passphrase or key in the crypto wallet app, (2) keylogging malware, that digitally logs the keystrokes of the user while the user is entering the passphrase or key in the crypto wallet app, or (3) overlay attack, another form of identity malware, that superimposes a screen (or uses a fake screen) to trick the user into entering the passphrase or key into a malicious screen or entry field inside the crypto wallet app. In cases I’ve been involved in, parts of apps with confidential information on them have been exposed to hackers or fraudsters. As a result, it’s important to prevent screen sharing, screen shots or screen recording. To address this top 5 attack vector aimed at crypto wallets, see this article for more information on how to prevent screen sharing, to prevent overlay attacks, and to prevent keylogging in the apps themselves.
3. Malicious Instrumenting of Crypto Wallet Apps
Because of transactional dependency between mobile client and blockchain in crypto wallet apps, the integrity of the platform used to run the crypto client wallet app is extremely important in protecting crypto wallet users. For example, standard jailbreak and rooting methods, and powerful jailbreak and root hiding tools like Liberty Lite and Magisk, can be used alone or in combination with malware to interfere, harvest or listen to events between the app and external services. Even pen testing tools like, Frida and DBIs, can be used to instrument, hook and invoke functionalities in a crypto app for all sorts of malicious purposes, including gaining access to the blockchain address of the client app, passphrases, impersonating the client app, etc. Crypto wallet makers can prevent crypto wallet apps from running on a jailbroken or rooted device. block Frida, block Magisk and safeguard against dynamic hacking tools all to protect users and guarantee the integrity of the critical functions in the app. Best practices would also suggest the developer of the application use comprehensive code obfuscation to make it harder for the attacker to research the app in the first place.
4. MiTM Attacks on Crypto Apps
People can have crypto wallets that are a part of centralized exchanges, or decentralized exchanges known as dApps. Communication between client and “server”, or P2P introduces threats, such as man-in-the-middle threats, TCP Reset attacks, trojan attacks and other threats. The data-in-transit used by Crypto apps is critical to the value of the crypto currency in the client wallet app – everything from transactions, transaction amount, passphrases, etc. all get included in this communication. To protect these communications, it is highly recommended to enforcing SSL/TLS for all communications to/from Crypto wallet apps, including minimum TLS version, enforcing cipher suites and other measures. Most blockchains have dApps that are created by the community. What if the dApp is malicious or contains vulnerabilities that introduce malicious actions against your legitimate crypto wallet app such as attempt to create nonsecure connections with the target app. To defend against this event, developers of crypto wallet apps should consider a holistic Man-in-the-Middle defense.
5. Cryptojacking and Emulators with Crypto Wallet Apps
Modified versions of crypto wallet apps used with emulators and simulators, or on device malware can be used by hackers to create fake accounts, perform malicious trades, transfer cryptocurrency from one wallet app to another, or perform cryptojacking attacks to take over processing power of a mobile device and use it for cryptomining. Some less recent reports also show that hackers can abuse Android Debug Bridge (ADB) ports on Android phones to carry out this class of attack. To protect against this class of attack, it’s recommended to implement runtime application self protection (RASP) methods, particularly anti-tampering, anti-debugging and preventing emulator protections. Best practices would also suggest that, to truly guard against cryptojacking and similar attacks, production versions of crypto wallet apps include defense to malicious use of ADB.
Individual and institutional investors are adopting and using Crypto wallet apps more than ever. Developers of crypto wallet apps should follow shift-left security and should start building security features into mobile apps as early as possible in the development lifecycle.
We’d Love to Help Stop the 5 Attack Vectors Aimed at Crypto Wallets
In cybersecurity, an ounce of prevention is better than a pound of cure. I’d love to help with your security project and help your crypto wallet overcome the challenges you are facing. Let me show how you can protect against threats to your mobile app. Please reach out to us for a demo!