Are Cryptocurrency Wallets more at risk than ever?

It sounds like only Hardware Wallets (like Ledger, Trezor, etc…) are secure

Jean-Luc Leleu
4 min readMar 14, 2023

The recent Pegasus story just showed to the public that any device can be compromised and infected by Malware that can take complete control of a device: jailbreak/get access to root privilege without even a click on a link (ex: just the reception of a WhatsApp msg, iMessage, SMS, etc… can trigger the infection). It happened to Emmanuel Macron, Angela Merkel, and more.
Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution (googleprojectzero.blogspot.com)

Banking Trojan the main threat against wallets

Banking trojans are a type of malware that pose a serious threat to the security and privacy of online banking and cryptocurrency users. These malicious programs are designed to steal sensitive information such as login credentials and financial data from users’ devices, but more importantly, they can also manipulate users into validating fraudulent transactions and bypassing state-of-the-art two-factor authentication (2FA) and even multi-factor authentication (MFA) mechanisms.

Godfather a recent example of Banking trojan

One of the most recent active banking trojans is called Godfather, which has been used to target users of more than 400 banking and cryptocurrency apps spanning across 16 countries. As of October 2022, 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms have been targeted by Godfather. This banking trojan uses sophisticated techniques such as overlays, screen recording, keylogging, and SMS interception to deceive users and gain access to their accounts.

Source Group-IB

Crypto wallet and exchange targets are now as important as financial institutions targets like banks.

BaFin — Warnings & News — Warning: Current malware “Godfather” attacks banking and crypto apps
Godfather already a new variant | Malwarebytes Lab

Cyble — GodFather analysis with code rewiew

Godfather is not alone

Source: Kaspersky

Other known recent banking trojans include Trickbot, Emotet, Dridex, Qakbot, and Zloader, which have been used to target financial institutions around the world. These banking trojans have also been used to target cryptocurrency wallets specifically. For instance, Trickbot can steal private keys and seed phrases from popular crypto wallets such as Exodus, Electrum, and Jaxx. Emotet can inject malicious code into web browsers to redirect users to fake websites that resemble legitimate crypto exchange platforms. Dridex can modify clipboard data to replace legitimate crypto addresses with those controlled by the attackers.

source Group-IB 2022/2023 Threats reports

200,000 new mobile banking Trojan installers discovered in 2022, double the 2021 | Kaspersky

Overlays attacks: why User Interface is the weakest point of failure

Overlays are graphical elements that are displayed on top of an application’s user interface. They can be used to trick users into entering sensitive information such as login credentials or credit card details, or to validate false transactions. For example, Godfather and other trojans can display an overlay that mimics the legitimate app’s interface and asks the user to confirm a transaction that was never initiated by the user. If the user falls for the trap and enters their PIN or password, the banking trojan can use this information to execute unauthorized transactions or transfer funds to the attacker’s account. It can also make the user validate a phony transaction with his biometrics. An overlay is used to mask the phony address destination and amount with what the user is expecting to see.

Banking trojans are constantly evolving and adapting to new security measures and user behaviors.

(2022) Novel Overlay + Toast Attack on Bank of America app — YouTube
Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions (paloaltonetworks.com)
How are we doing with Android’s overlay attacks in 2020? | WithSecure™ Labs

Related tapjacking risks:
https://developer.android.com/topic/security/risks/tapjacking

How to spread malware infection

In the context of the crypto ecosystem, messaging app like Telegram, discord, etc. can be used to trick the user to get infected by a malware.

New Attack Targets Online Customer Service Channels | IBM security Intelligence

Wallets are now weaker than Banking Apps

Banking apps are getting more robust

The European commission and ECB have forced European banks to comply with PSD2 regulation. Therefore, banking apps are now more robust than most crypto wallets.

Consequently, threat actors now target their attacks toward wallets

Bad actors ‘organization are business oriented and are looking for best return on investment. Although malware is getting more sophisticated and pervasive, hackers in search of profits are pragmatic people and focus on the weakest prey, which is now the cryptocurrency wallet.
Banking trojans are now massively targeting cryptocurrency owners.

Attacks on Hardware Wallets (Ledger, Trezor, etc…)

Kaspersky Uncovers Counterfeit Trezor Wallets That Jeopardize Crypto Assets With Pre-Knowledge of Private Key — Bitcoin News

Malicious Google Web Extensions Harvest Cryptowallet Secrets | Threatpost

In addition, supply chain attacks also exist Kraken Security Labs Identifies Supply Chain Attacks Against Ledger Nano X Wallets — Kraken Blog: bad actors acquired legacy hardware wallets in bulk, modified them with malicious trojan horse components to resell compromised wallets and steal passphrases or trigger phony transactions.

Aditional references on wallet threats

Unlisted

--

--

Jean-Luc Leleu

Building the next Web3 Layer | 18 patents issued in the field of #cybersecurity and mobile device security,. linkedin.com/in/jlleleu/