We have given you plenty of good reasons to avoid downloading suspicious Android apps over the years, but here’s one more. Recently, researchers at McAfee (via Ars Technica) discovered 280 fake Android apps that scammers are using to access cryptocurrency wallets.
As the researchers note, cryptocurrency wallet owners typically receive mnemonic phrases that they can use to recover their accounts in case they get locked out. These typically consist of 12 to 24 words, and it’s not uncommon to take a screenshot of them.
The fake Android apps unearthed by McAfee’s Mobile Research Team target these phrases by scanning phones for images that might contain them.
McAfee’s researchers say that the malware disguises itself as banking, government, streaming, and utility apps. Scammers spread these apps through phishing campaigns by sending texts or DMs on social media containing links to deceptive websites that look legit. Once there, victims are prompted to download an app that installs the malware on their phones.
The fake Android app will then request permission to access all manner of sensitive information, from SMS messages to contacts to storage. The app also wants to run in the background, which should all be red flags, in case you weren’t aware.
If you make it this far, here’s what any of the 280 fake apps can steal from your phone:
- Contacts: The malware pulls the user’s entire contact list, which could be used for further deceptive practices or to spread the malware even further.
- SMS Messages: It captures and sends out all incoming SMS messages, which might include private codes used for two-factor authentication or other important information.
- Photos: The app uploads any images stored on the device to the attackers’ server. These could be personal photos or other sensitive images.
- Device Information: It gathers details about the device itself, like the operating system version and phone numbers. This information helps the attackers customize their malicious activities to be more effective.
“In such a landscape, it is crucial for users to be cautious about their actions, like installing apps and granting permissions,” McAfee’s mobile researchers say. “It is advisable to keep important information securely stored and isolated from devices. Security software has become not just a recommendation but a necessity for protecting devices.”