Popular Private Key Generator Compromised, Fake Crypto Wallets Emerge
Security researchers just sent two warnings to crypto users, encouraging to move their funds from addresses generated via WalletGenerator.net after August 2018, and be extra careful when downloading a wallet app from the Google Play store.
"If you have used a private key generated on WalletGenerator.net after August 17, 2018, move your funds immediately to a secure address," Harry Denley, a security researcher at Ethereum wallet provider MyCrypto.com, said in a recent blog post.
According to him, there were changes to the code being served via WalletGenerator.net that resulted in duplicate keypairs being provided to users. These generated keypairs were also potentially stored server-side.
The researcher suggested to create a new keypair / wallet and move your funds to that new, secure address.
"Some folks have recommended using bitaddress (offline) via https://github.com/pointbiz/bitaddress.org," Denley said, adding that while the malicious behavior is not presently found as of May 24, 2019, it could be reintroduced at any point.
"In this strange turn of events, we still have no idea whether the current site owner is the malicious party, if the server is insecure, or both," the researcher said.
WalletGenerator.net was not available for immediate comment.
In a video below, the team behind the research showed how they generated 1,000 keys and found groups of duplicate keys.
In April, WalletGenerator.net had almost 145,780 visits, or 307% more than in March, according to digital market intelligence platform Similarweb,
Paper wallet interfaces are a convenient tool for users to easily generate a private / public keypair. However, as previously reported by Cryptonews.com, not only are paper wallets less secure than they're sometimes made out to be, but they require a level of technical expertise and oversight beyond the capabilities of most laypeople.
Fake crypto apps
Meanwhile, Lukas Stefanko, a malware researcher at IT security company ESET, claims that fake cryptocurrency apps "crop up on Google Play as bitcoin price rises."
Among fake apps he mentioned an app impersonating the popular hardware cryptocurrency wallet Trezor and using the name “Trezor Mobile Wallet”, while another one is The Coin Wallet app. At pixel time, both apps are unavailable on Google Play. However, The Coin Wallet app was reportedely installed by more than 1,000 users.
According to ESET and Trezor, the fake app did not did not pose a direct threat to their users.
"However, [Trezor] did express concern that the email addresses collected via fake apps such as this one could be later misused for phishing campaigns targeted against Trezor users," Stefanko said in a blog post.
Meanwhile, the purpose of the second fake app was "to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of wallet address scams."
"If bitcoin continues its growth trend, we can expect more cryptocurrency scam apps to emerge in the official Android app store and elsewhere," Stefanko said, recommending to stick to these basic security principles:
- Only trust cryptocurrency-related and other finance apps if they are linked from the official website of the service
- Only enter your sensitive information into online forms if you are certain of their security and legitimacy
- Keep your device updated
- Use a reputable mobile security solution to block and remove threats