In spite of market volatility, crypto wallet adoption has exploded as new investors are drawn to cryptocurrency and new cryptocurrencies, NFTs, and tokens are launched. Fraud and attacks on crypto wallet apps have also gone up. In this blog, we’ll discuss the top 5 attacks aimed at crypto wallet apps and how to solve them.
How Crypto Wallets Get Hacked
The conventional wisdom is that crypto wallets come in two forms: hot wallets and cold wallets. Hot wallets, we’re told, offer greater convenience and flexibility but come with greater security risks. Cold wallets, by comparison, are more secure but less convenient. However, in the everyday use of these systems, challenges arise, and it turns out that hot wallets can be made just as (if not more) secure than cold wallets – if you know how to protect a cold wallet.
In the first 7 months of 2022, $1.9B worth of cryptocurrencies have been stolen, up 60% from the prior year. Here’s an example of how a crypto wallet security vulnerability can manifest itself into real user pain and loss. Say a user downloaded a Trojan malware app onto their device. Once installed, the trojan app steals $600,000 worth of Bitcoin from the wallet app. Ouch! This very thing is what the Android Trojan malware called “Sharkbot” does. Sharkbot initiates money transfers from crypto and banking apps on compromised devices, bypassing verification systems. Adding insult to injury, the malware also prevents its users from deleting it. Sharkbot isn’t the only malware that targets cryptocurrency wallet apps. Xenomorph, Octo, and Sova are just some of the new variants of mobile malware that target cryptocurrency wallet applications, perform transactions, steal passphrases, and more.
On-device malware isn’t the only attack vector. Hackers often try to exploit the connections between crypto wallets or between the crypto wallet and the backend service supporting the app. A white hat hacker who probed the security of 30 apps from large global financial institutions and cryptocurrency companies found that 99% of these mobile apps contained hardcoded API keys and tokens, usernames, and passwords that could be harvested easily.
Top 5 Cyber Attacks Aimed at Crypto Wallet Apps
Here are the top 5 cyber attacks aimed at crypto wallet apps and how you can use Appdome to solve them. See the video for a summary.
1. Stealing the Locally Stored Passphrase or Private Key used by Crypto Wallet Apps
There are many user tradeoffs between a hot and cold wallet and, for that matter, between a custodial and non-custodial crypto wallet app. You might want greater control over your passwords or passphrase or the convenience of resetting your passwords or passphrase via the custodial provider. From a cyber security perspective, the risk is the same no matter what wallet you choose, as eventually, the wallet has to connect to something to perform transactions. Inside (or as part of) a transaction, the passphrase or keys have to be used, and if malware is on the connected (mobile) device, that malware can access these keys, passwords, or passphrases. Unencrypted data in memory or in the application sandbox or SD card, in preference areas like NSUserDefaults, or in external areas such as clipboard gives hackers the ability to harvest that data for their own malicious purposes. To resolve this, we typically recommend data-at-rest encryption as the minimum way of protecting locally stored data, no matter where the data resides, i.e., internal to the app itself, in preference areas, or clipboards.
2. Harvesting Passphrase or Private Key
Another way to steal passphrases and crypto wallet keys is to do so when the user enters the values into the crypto wallet app. From a hacking perspective, there are three ways of achieving this: (1) an “over-the-shoulder attack,” which basically involves sitting next to the user and literally watching them enter the passphrase or key in the crypto wallet app; (2) keylogging malware, that digitally logs the keystrokes of the user while the user is entering the passphrase or key in the crypto wallet app, or (3) overlay attacks, another form of identity malware, that superimposes a screen (or uses a fake screen) to trick the user into entering the passphrase or key into a malicious screen or entry field inside the crypto wallet app. In cases I’ve been involved in, parts of apps with confidential information on them have been exposed to hackers or fraudsters via screen sharing, screenshots, or screen recording when the apps are in use.
3. Dynamic Attacks Against Crypto Wallet Apps
Because of the transactional dependency between the mobile client and blockchain in crypto wallet apps, the integrity of the platform used to run the crypto client wallet app is extremely important in protecting crypto wallet users. For example, standard jailbreak and rooting methods and powerful jailbreak and root hiding tools like Liberty Lite and Magisk can be used alone or in combination with malware to interfere, harvest, or listen to events between the app and external services. Even pen testing tools like Frida and DBIs can be used to instrument, hook, and invoke functionalities in a crypto app for all sorts of malicious purposes, including gaining access to the blockchain address of the client app, passphrases, impersonating the client app, etc. Crypto wallet makers can prevent crypto wallet apps from running on a jailbroken or rooted device. Block Frida, block Magisk and safeguard against dynamic hacking tools all to protect users and guarantee the integrity of the critical functions in the app. Best practices would also suggest that the developer of the application use comprehensive code obfuscation to make it harder for the attacker to research the app in the first place.
4. MiTM Attacks on Crypto Apps
People can have crypto wallets that are a part of centralized exchanges or decentralized exchanges known as dApps. Communication between client and “server,” or P2P, introduces threats, such as man-in-the-middle threats, TCP Reset attacks, trojan attacks and other threats. The data-in-transit used by Crypto apps is critical to the value of the cryptocurrency in the client wallet app – everything from transactions, transaction amounts, passphrases, etc., are included in this communication. To protect these communications, it is highly recommended to enforce SSL/TLS for all communications to/from Crypto wallet apps, including minimum TLS version, enforcing cipher suites, and other measures. Most blockchains have dApps that are created by the community. What if the App is malicious or contains vulnerabilities that introduce malicious actions against your legitimate crypto wallet app such as an attempt to create nonsecure connections with the target app? To defend against this event, developers of crypto wallet apps should consider a holistic Man-in-the-Middle defense.
5. Using Dev-Tools like ADB Against Crypto Wallet Apps
Modified versions of crypto wallet apps used with emulators and simulators or on-device malware can be used by hackers to create fake accounts, perform malicious trades, or transfer cryptocurrency from one wallet app to another. Some less recent reports also show that hackers can abuse Android Debug Bridge (ADB) ports on Android phones to carry out this class of attack. To protect against this class of attack, it’s recommended to implement runtime application self-protection (RASP) methods, particularly anti-tampering, anti-debugging, and preventing emulator protections. Best practices would also suggest that to truly guard against cryptojacking and similar attacks, production versions of crypto wallet apps include defense against malicious use of ADB.
Let Appdome Help Stop the 5 Cyber Attacks Aimed at Crypto Wallets
In cybersecurity, an ounce of prevention is better than a pound of cure.
At Appdome, we specialize in protecting Android & iOS Crypto Wallet applications, allowing developers of crypto wallet applications to remain agile, rapid and maintain high-velocity delivery of protections into crypto wallet apps in the CI/CD pipeline. I’d love to help protect your crypto wallet overcome any challenges you are facing. Let us show how you can protect against threats to your mobile app with no work, no code, no SDKs. Please reach out to us for a demo!
