Bitcoin Forum

In the last 24 hours a fake version of the multibit.org site with wallet stealing code has appeared. I have confirmed it is a wallet stealer by decompiling the code.

Andreas Schildbach has just noticed a similar looking scam version of his Bitcoin Wallet on Google Play.

Be very careful with any MultiBit and Schildbach Bitcoin Wallet downloads.

Only download MultiBit from:
https://multibit.org (https://multibit.org)

Andreas has confirmed that the correct URL for his wallet is:
https://play.google.com/store/apps/details?id=de.schildbach.wallet (https://play.google.com/store/apps/details?id=de.schildbach.wallet)

To be clear, so far I have no proof that the Bitcoin Wallet clone in question has any malicious code.

However, the fact that the publisher chose to copy-protect his APK file makes me skeptical. If anyone is able to extract copy-protected APKs from Google Play, please drop me a mail.

And to be even more clear: I'm not talking about Litecoin Wallet or the Blockchain.info wallet. They are both legitimate clones as far as I can tell.

How is the wallet-stealing client being distributed?

For MultiBit - where the code is confirmed to be a wallet
stealer - there is:
+ a site that is a rip of an old multibit.org site with the download links for Linux and Windows pointing to the malware. I won't mention the site name but it is basically a name squat ie a few characters different to multibit.org
+ they were running a Google ads campaign along the lines of 'Secure desktop Bitcoin wallet . . .' this should now have been pulled. MultiBit does not run any Google ads so any you see are a scam.
+ there was also a r/bitcoin posting on Thursday night that pretended to be a 'MultiBit desktop ticker v2.1' with a link to mediafire to download.  This product does not exist and I would never put a random download link like that. This post has now been deleted.

The malware is a copy of the MultiBit code base ie you have an installer that installs a fake MultiBit and it looks pretty normal. When the fake MultiBit starts up it starts a thread that regularly does a HTTP GET to their command and control server with the balance of your wallet. It then returns either a list of addresses (and sends your bitcoin to one at random) or no addresses, in which case the steal will be delayed until later.

As Andreas points out it is not 100% confirmed the clone of his code on Google Play is a wallet stealer but it looks very similar: a rip of his app description, name squatting domain etc. It seems prudent to assume it contains the same wallet stealing code.

There may be other methods the authors are using to try to distribute it but those are the ones we are aware of.

Crap- this is bad news. I think we are going to see more and more of this in the future. :-/


EDIT: Maybe there needs to be a verified repository of bitcoin software. (as much as that sounds like centralization)