Industry News

Over 90% of mobile cryptocurrency apps may be ‘in trouble,’ researchers say

Hold on to your Bitcoins! With the rising popularity of electronic currency, security researchers are sounding the alarm over mobile apps designed to store, process and trade crypto currencies.

Roughly 90% of a pool of 2,000 cryptocurrency mobile apps in the Finance section of the Google Play app store pose security risks, experts warn.

Currently trading at more than $11,000 apiece, the controversial Bitcoin has spurred tremendous interest in cryptocurrency – a virtual form of currency based on cryptographic algorithms.

Dozens of cryptocurrencies are available (Ethereum, Monero, Zcash, etc.), each with its own market cap – totaling a whopping $328,331,711,597.

“Obviously, cybercriminals could not pass on such an outstanding opportunity and are aggressively targeting all possible stakeholders of the emerging digital currency market,” according to High-Tech Bridge researchers.

Statistically, a new cryptocurrency gets compromised every week, inflicting millions in losses on those who take the plunge and convert their real cash into digital money in hopes of a fast and hefty return on investment.

However, the problems are only just beginning for those who invest heavily in “altcoins” (‘altcoin’ refers to crypto-coins in general).

Researchers warn that weaknesses in mobile cryptocurrency applications may lead to a breach of the mobile device or its data, while a vulnerable API could allow attackers to steal user data from the app’s server side.

The researchers performed dynamic, static and interactive testing on 2,000+ Android apps designed for cryptocurrency management and trading.

The firm tested the binaries for weaknesses, potential risks to user privacy, and for any trace of OWASP Mobile Top 10 vulnerabilities. Their findings should strike fear into the hearts of all cryptocurrency miners and/or traders.

From the first 30 applications with up to 100,000 installations: 93% contain at least three medium-risk vulnerabilities; 66% contain hardcoded sensitive data (passwords or API keys) and 80% send “potentially” sensitive data with no encryption over HTTP.

From the first 30 applications with up to 500,000 downloads, additional findings include: 37% are vulnerable to man-in-the-middle (MITM) attacks exposing all data to interception; 70% still use SSLv3/TLS 1.0 – an obsolete (and therefore hackable) cryptographic communication protocol; 14% have backends vulnerable to POODLE (a MITM exploit which leverages SSL 3.0 weaknesses).

Virtually all of the applications tested had no protection whatsoever against reverse-engineering.

Researchers put the blame on the “agile” software development movement, where security often takes a back seat to speedy development.

So, if you manage or trade altcoins, think twice before entrusting your virtual net worth to an obscure Android app that promises to let you grow your crypto-fortune on the go.

About the author

Filip TRUTA

Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware, and security, and has worked in various B2B and B2C marketing roles. He likes fishing (not phishing), basketball, and playing around in FL Studio.

1 Comment

Click here to post a comment

  • Avoiding poorly coded (90%) apps for altcoin is good advice. But what about the vulnerable APIs? If your chosen altcoin is using a vulnerable app API and the server is at risk, then so may be your altcoins.