March 19, 2020 | Security

Inside Kraken Security Labs: Analyzing Android Malware

Consider a common scenario. A crypto investor is at work when he or she suddenly reads in the news that Bitcoin is about to “moon.” They want to increase their position, but cannot get home for several hours.

Afraid of missing out on the opportunity, they search for their exchange’s app on the Google Play store. They check out the first listing that pops up and confirm that the logo looks okay, the UI is clean, and it has a good amount of positive ratings.

They then download the app, disregard the fact that it asks for an unusual amount of permissions, and start trading.

A little while later, they get home and log into their account to see that their balances have been emptied. Panic sets in and they wonder what happened. Then they remember the app they downloaded over lunch…

Beware of Fake Apps

For years, hackers have been creating malicious carbon-copies of popular apps to steal login credentials, money, and data from unsuspecting individuals.

The cryptocurrency industry is no different, and as exchanges release apps to help clients trade remotely, bad actors have tried to get clients to download fraudulent versions instead.

We regularly find, analyze and report these malicious impostors to get them taken down. However, it is difficult to identify every piece of malware as soon as it gets published. Therefore, it is critical for our clients to also be our partners in protecting their accounts.

To assist, we want to share some patterns that we see and highlight things that should arouse suspicion.

How (most) of the malware works

The malware gets uploaded to Google Play with an impostor name by an unknown developer. Please note that Kraken’s official developer name on the Google Play store is Payward, Inc.

The malware developer creates multiple fake reviews for the impostor application.

Nylqlj Ruyc

November 18, 2019

This version is beautiful in terms of it’s user friendliness but it keeps crashing. Please, try to fix it. It’s very annoying.

Tucker Soft

November 23, 2019

Thank you for the high rating! We work hard that our app meets our users’ expectations, and we’re happy to hear we hit the mark for you.

The victim unintentionally downloads the impostor Kraken application

The malware requests excessive permissions upon install, such as the ability to read and/or dismiss all of the victim’s notifications. This is particularly dangerous because notifications may contain 2FA codes. Read more about 2FA here.

The malware, when opened, shows a login screen. Victims who enter their username, password, or API keys are shown a false error message that asks them to enter their phone number.

The malware sends credentials from the impostor app (from step 5) and and any received notifications (from step 4) to a Google Firebase database, which are commonly used by attackers to record stolen data. The databases that we observed didn’t require authentication and were therefore readable to the world.

The malware developer uses the victim’s credentials to steal their funds.

What Happens Next

The malware gets reported and taken down, but not before the client’s account is emptied without recourse. Then the developer reappears with a new app and the process starts again.

Remember: It is much easier to protect yourself in the first place rather than trying to recover your funds.

Don’t Trust, Verify

We are working with Google, other exchanges and law enforcement to correlate these attacks, better defend against them, and identify the attackers. But, there is still a lot that you can do.

For instance:

Make sure you’re using official apps, including ours.

Use 2-factor authentication everywhere. 2FA will significantly reduce the chances that an attacker could login to your account even if you accidentally installed malware.

Scrutinize apps in mobile stores. Be wary of apps that have a small number of installs, use poor spelling or wording in the description or reviews, use poor or incorrect graphics or have reviews mentioning malware.

Beware of apps that prompt for unusual or overly broad permissions.

Caution against applications that lack functionality. The apps that we analyzed presented bogus service outage notifications immediately after the login dialog.