Security Researcher Highlights Danger Of Malicious Crypto Copycat Apps

Google has a serious problem with cryptocurrency malware infecting many of the apps on its marketplace, according to security researcher Lukas Stefanko.

Stefanko posted a screenshot of one such app that tries to lure victim’s private keys on Twitter, the app was a MyEtherWallet copycat.

MyEtherWallet, a popular Ethereum wallet interface, has been suffering from multiple imitation apps on the Google marketplace. Stefanko breaks down for his follower's, what counterfeit apps are, some examples that are active on the store, and what danger they pose.

The copycat app was designed to get users to submit their existing wallet information. Allowing it to phish for user credentials. The hackers would steal the private keys and essential information and steal the user’s assets. Phishing refers to attempts to obtain sensitive information from a user by impersonating a trusted application or website. This ranges from usernames, passwords, financial information and in this case, private keys.

Over the last few days, an imitation of MyEtherWallet has been available for users to download. Fortunately, warnings were given in time to prevent too many people from downloading the app. What it demonstrates, is that Google has a severe problem with monitoring the apps on its market.

In January, over 500 users were subject to a phishing scam that used a copycat MyEtherWallet to obtain sensitive information. This is not the first time that counterfeits have been reported.

This also includes an attempt by another phishing scam in October 2017, one that allowed its creators to earn over $15,000 in just two hours.

On April 4th, Stefanko reported on Twitter that a Poloniex app was being downloaded by unknowing users, leaving them vulnerable to having their information stolen. Fortunately, the impact of Stefanko's tweets resulted in the rapid removal by Google of the malicious app.

According to research, Google has had serious problems with these apps for some time. In 2017 alone, the company’s online store has had to remove over 700,000 apps for multiple reasons including malware and phishing frauds.

Check out EAL (Ether Address Lookup) to help prevent fraud.

Weekly Newsletter

Attacker Exploits Defi Protocol to Make $360,000 in a Single Transaction

Francisco Memoria

Ab attacker has managed to exploit the decentralized finance (DeFi) protocol bZx to make over $360,000 worth of profit in a single transaction through what’s known as flash loan.

Using a decentralized trading platform dYdX, a hacker borrowed 10,000 ETH, currently worth around $2.5 million, and then sent half of it to decentralized finance lending platform Compound, and half to decentralized trading platform bZx.

Using the funds on Compound, it borrowed 112 wrapped bitcoin tokens (wBTC), ERC-20 tokens backed 1:1 by bitcoin. Using the half on bZx, the hacker entered a short position for 112 wBTC. He then sent the 112 wBTC it got from Compound to another trading platform, Uniswap, in a move that lowered the price of the tokens which made the short sale profitable.

The hacker then repaid his loan to dYdX and kept the profit from the short sale, 1,300 ether that were then worth $360,000. All of this was made in a single transaction that cost around $8 worth of transaction fees.

single transactionSource: Etherscan

The attack was pulled in a single transaction through what’s known as a flash loan. Essentially, the attacker borrowed 10,000 ETH without any collateral as he borrowed the funds in the same transition that paid them back. Through a smart contract, it was possible to pull the transaction.

Using the exploit, the hacker made over 1,000 ETH in profit and cost the bZx protocol over $620,000 in equity. bZx has made it clear users won’t suffer from the loss as it will compensate them. Those behind the project are set to release a detailed analysis at 5pm MST.

Data from DeFi Pulse shows that investors quickly started withdrawing from bZx right after the incident occurred, but started regaining confidence as soon as the project addressed the issue and clarified they wouldn’t be socializing the loss.

Featured image via Pixabay.