After analysis, 94 percent had "at least three" medium-risk vulnerabilities.
Image: Shutterstock. Composition: Author
As the value of cryptocurrencies continues to skyrocket nearly across the board, hackers and scammers are stealing digital money from unsuspecting victims in all sorts of new and interesting ways.
One method uses fake apps that steal credentials, but according to new analysis from information security firm High-Tech Bridge, it’s not just fraudulent apps that people have to worry about. Legitimate, but insecure, apps are also rampant and could allow a hacker to steal someone’s login information or even their cryptocurrency.
High-Tech Bridge used its free mobile app analysis software, called Mobile X-Ray, to peek under the hood of the top 30 cryptocurrency apps in the Google Play store at three different popularity levels: apps with up to 100,000 downloads, up to 500,000 downloads, and apps with more than 500,000 downloads. So, a total of 90 apps altogether. Of the most popular apps, 94 percent used outdated encryption, 66 percent didn’t use HTTPS to encrypt user information in transit, 44 percent used hard-coded default passwords (stored in plain text in the code), and overall 94 percent of the most popular apps were found to have “at least three medium-risk vulnerabilities.”
According to High-Tech Bridge CEO Ilia Kolochenko, whom I reached over the phone, the apps included everything from price trackers, to exchanges, to wallets. So, what does this mean? For most people, probably nothing. But for somebody who happens to land on a dedicated hacker’s shit list (not all that uncommon in the increasingly lucrative world of cryptocurrencies), it could mean the loss of funds or sensitive information like passwords.
“If you don’t have proper encryption—or it’s simply not implemented because some of these apps are using HTTP with no encryption at all—when you’re sitting with your phone at a cafe or the airport and the Wi-Fi is insecure, someone else can seize the traffic, intercept your login passwords, and access your wallet or digital storage,” Kolochenko told me.
In the case of a price tracker app, Kolochenko said, someone could feed a high-volume trader false information to influence their behaviour. Cryptocurrency markets are notoriously susceptible to price changes driven by “whales” who buy and sell in large amounts.
“You can have an application that doesn’t send or receive any sensitive information at all, but shows you something like the current price of Bitcoin,” he explained. “Such applications can be very poorly implemented, and in some cases could allow an attacker to falsify information.”
Obviously, to do this someone with a lot of technical skill would have to be extremely dedicated to the sole cause of screwing you over. But the point is that it’s possible. And, it’s worth mentioning, insecure apps are a blight on the entire mobile ecosystem, not just cryptocurrencies. But cryptocurrency apps deal with easily-stolen digital money that often can’t be returned or recovered, even if found. So, it might pay to be a little more cautious with your apps than usual.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .