Fake Cryptocurrency Wallet App Installs Ransomware
Hackers have come up with a new spin on exploiting the cryptocurrency gold rush, a completely fake coin and wallet app.
The unwary investor looking for the next big thing might rush to download the SpriteCoin wallet and hit the install button - which is when you’ll find that it is in fact ransomware.
After asking users to set a password, the fake wallet pretends to be downloading the blockchain files, but is in fact encrypting the PC. It then demands a ransom in Monero (0.3 Monero - equivalent to $105 USD) to restore the files. However, in an unpleasant twist, if users to decide to pay up then new malware is added during the decryption process, leaving the unsuspecting user open to future compromise.
The secondary malware is designed to steal credentials, as well as harvest certificates, parse images, and can even activate the web camera.
“During our analysis, we have seen indicators that the sample appears to have an embedded SQLite engine. This leads us to believe it is using SQLite to store harvested credentials. The ransomware first looks to harvest Chrome credentials, and if it finds nothing it then moves on and tries to access the Firefox credential store. It then looks for specific files to encrypt. These files are then encrypted with an .encrypted file extension (eg: resume.doc.encrypted).” wrote the Fortinet researchers in their blogpost detailing the attack.
"The allure of quick wealth through cryptocurrency seems to be enough to trick unsuspecting users to rush toward the wallet app du jour without consideration," they summarised.
In another new report, it has been revealed that as much as 10 per cent of all early investor funds are stolen by hackers. The report focussed on the highly popular trend of ICOs (initial coin offerings), which experienced a major boom in 2017 - in fact, in some ICO cases investors were contributing capital at an average rate of over US$300,000 per second. However, this enormous influx of wealth has attracted the criminal element, benefitting from the hype, irreversibility of blockchain-based transactions and basic coding errors. These errors, said the report: “could have been avoided had the ICO been carefully reviewed by experienced developers and cybersecurity analysts.”
Funds are misappropriated via substituting project wallet addresses (phishing, site hacking), accessing private keys and stealing funds from wallets, or hacking stock exchanges and wallets; all on top of indirect losses caused by high reputational risks for project founders., summarised the report.
Ilia Kolochenko, CEO, High-Tech Bridge commented on the wider cryptocurrency industry: "Many blockchain and cryptocurrency startups have worse problems. The global market of digital currencies is very competitive, totally unpredictable and highly turbulent. All available, and often already scanty, resources are usually allocated to development and implementation of new features and bug fixing, while cybersecurity is left for another day. Very few companies have properly implemented an SDLC or DevSecOps approach for the integrity of their products, let alone regulatory and privacy requirements. Therefore, we should expect a growing number of security incidents related to cryptocurrency startups in 2018."
Research from High-Tech Bridge recently found that of the top cryptocurrency mobile apps on Google Play, even of those with more than 500,000 installations, 94 per cent contained at least three medium-risk vulnerabilities, and 77 per cent contained at least two high-risk vulnerabilities. A massive 94 per cent of applications were still using SSLv3 or TLS 1.0 banned by PCI DSS, and 66 per cent of applications were sending [potentially] sensitive data without any encryption over HTTP.
The testing was conducted with High-Tech Bridge’s Mobile X-Ray free online service with SAST, DAST and IAST capabilities for native and hybrid Android and iOS applications. The service was launched in October 2017 and has now tested 44,000 apps for vulnerabilities.