Bitcoin Forum

Wondering how some loses their recovery seed to hackers without sharing their phones with anybody? We've seen many fake crypto wallets on playstore but there is more that only limited people know about

Stop using downloaded keyboards from playstore, they are easier to build and these keyboards safe words that you type through them and send them out to the dev, builder or whatever you would like to call them, few even have syncing function with your Gmail account, you have no idea what this keyboards are capable of

https://i.imgur.com/2lwEa67.png

Stick with keyboards that followed your smartphone instead, I did my best already

Yeah I thought this was well known.

It's why apps like mobile banking have their own keyboards in them and it's often best for wallets to do the same (but on Browser they can't).

I had my suspicions(but never really try to confirm it) regarding apps like that that's why I stayed away from it and warned others that are closest to me. just to add some of my precautions(maybe paranoia) I never click allow any app when they ask after downloading their app(unless they are from a trusted company) to have access to my file, contacts, camera and other things that could compromise important info from my phone.

Not only with keyboards, but with apps in general. It's a safe assumption that some people copy-paste their wallet's 12-24 word recovery phrase to a notes app and/or copy-paste their exchange passwords. Well, turns out, there are apps out there that sniff out your clipboard data(regardless if it's due to app functionality reasons, or for malicious purposes).

https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/

This is a 2017 post, depicting a case where a popular virtual keyboard app leaks 31 million users' personal data (https://www.zdnet.com/article/popular-virtual-keyboard-leaks-31-million-user-data/). Apparently, it wasn’t a malicious app in principle, by the amount of personal data it gathered was notorious, and it also gathered silos of sensitive information such as phones, search terms, emails and, roll of drums, … passwords.

People, for some reason continued to use the app, and come 2019, the userbase was of 40 million (downloads). This time, the app was accused of  downloads makes money off unauthorized purchases (https://thenextweb.com/security/2019/11/04/sketchy-android-keyboard-app-with-40m-downloads-makes-money-off-unauthorized-purchases/).

The above case is enough to exemplify what a malicious keyboard app can do, and whether its public knowledge or not, a lot of shady things can be taking place behind the curtains. One even wonders what the default OS keyboards are capable of doing without our knowledge ... (crypto credentials included).

We need to be careful of the apps we have on phones, only the relevant ones I can use, online has been in a way to be careful of apps to dowlaod. There are many fake apps online with malacious codes that can make one device not to be private but to steal from it. I can not doubt this to happen, in a way app used on devices will be able to monitor the information on our device. The best is to remain from what comes from our phone than another.

I think every social media app has received backlash from doing something like this in the past so it's not only random apps sniffing what's on your clipboard. There are some crypto apps that will also autopaste your 2fa keys into them - which could be problematic if it's a password instead (even if you trust the app you could have someone watching your screen)...

It may worth adding that (many) browser extensions also can basically read everything you do online, still many people use (too many of) them when accessing everything, including ... exchanges and web wallets.

O M G

I never thought about that, thanks for creating this thread and raising awareness.

It makes total sense that hackers/scammers would use a simple keyboard download
to record "key strokes"

I dont use a downloaded keyboard but have done in the past.

It's possible that keyboard can steal passwords and recovery phrases but what makes them more dangerous is no way to prove to google that such thing exists in a keyboard because you've been warned already when installing a new keyboard about the possibility of recording words and passwords, this is at user's risk

I don't see the essence of downloading a colorful or with a theme keyboard on Google Playstore. But yeah, it's a fact that there are people that would choose to have it rather than the integrated keyboard on our phones.

Such apps should be avoided and software that's related to cryptocurrency that a person isn't aware of before downloading. Thanks for the reminder and heads up.

It's for customization, personal taste/style, and something similar. I've seen a lot of users use them, and by judging from the number of downloads, it is safe to say that there is a huge userbase that does this.

Unfortunately, most of them have low-security awareness though, so it is not that surprising. Things might change if they start reading more about security practice, or learn how to protect themselves when they start using cryptocurrency and stuff like that.

This is why being simple matters to me, and I'd prefer more the App store compare to the playstore which is hosted by the androids.
That's too scary especially if you're dealing with a multiple keyboards and you access you accounts online, many will get hack without knowing why.

I was only aware that some apps can actually look into your clipboard so I guess I should be more careful of the copy-paste function on my phone now. Its more convenient to just copy paste your whole seed phrase instead of typing it down one by one so thats why many can fall victim to schemes like that. Its always worth checking out the privacy policies before downloading any app especially if you have wallets installed on your mobile phone. Not to mention social media trackers and cross-site tracking cookies, and even offline tracking on some social media sites. They collect a lot of our data which is why I ad blockers and firewalls are very important.

The problem with some android apps is that it will not be taken down if no one is complaining about. And it will be too late already when they finally give attention to it. I have seen several fake wallets like the MEW in google play store, but was only aware when somebody here posted in scam accusations board about those phishing sites and fake apps. So it is also good to check the scam accusations board - https://bitcointalk.org/index.php?board=83.0 here in the forum once in a while, as it may be useful to you or others, and may save you from being screwed by these scammers.

I wonder how anyone with a little common sense can even consider a mobile wallet something that is safe? What really doesn’t make any sense is to do a recovery of a desktop or even a hardware wallet on a mobile wallet - just because someone wants to have an identical copy of their wallet on their smartphone?

There is a much better option for this in the form of a watch-only wallet or a completely new wallet in which we send ourselves as many coins as we need at some point. Smartphones with Android or iOS are real spy devices, they are full of security holes and I think they are much more dangerous in terms of security than a desktop Windows PC.

I say this because, in general, a very small percentage of people have adequate protection for their personal computers - while with smartphones this percentage decreases even more - AV/Firewall on a smartphone? The general opinion is that these things are unnecessary, it only consumes RAM and CPU - while on the other hand mobile malware flourishes and allows great profits to its creators.

Ouch!!! Thanks for sharing first of all.

I am becoming more convinced every day to become an app minimalist. 
There are tons of fantastic apps out there helping us in everyday life (many of them are just unnecessary to be fair) but it's time the masses become aware about the price we have to pay for their use. Next one going to dig into the privacy of billions of users is whatsapp , who is forcing its users to adhere to the new privacy conditions to continue using their app.

Things are not going into right direction imo.

The more crypto becomes popular the more there will be threats on every corner, I'm very familiar with keyboards that safe words you type through them and it makes sense that you can lose your recovery seed this way, this days even newbies go online and search for free private keys, imagine that

Being a bitcoiner/crypto enthusiast it is a must for people like us to beware of such spyware softwares.
These keyloggers are a very easy way to get user credentials and give away private information to hackers.
I remember when I was 15 years old I used a keylogger to get the admin password to access my brother's admin account.
It was fun but it shows how easy it is for anybody to get access to your devices. God forbid if you use 3rd party keyboards and access your crypto wallets then your coins are at stake.

They're not too aware of the caution that it brings from those customization that they bring.

Aren't the other phone models do have its own integrated keyboard that they can customize? that's really bad that many aren't aware of the security vulnerabilities that it has.

I always have doubts whenever I am going to download an application on my device so I always keep on reading the reviews and always looking for the rating before I download it. If it seems like having a bad rating then I will look for another application related to it. There are already a lot of fake apps including that keyboard that we can see in Playstore so be careful, I just worried and wonder why Playstore keeps on allowing those things, they should be responsible for it.

If you really have something to protect on your phone, you should always think that there is always something that will try to hack your account.

Sometimes people do not read most of the terms as conditions like the accessibility of the application mostly they download and this is not good at all because if there's something important with your devices and you are just wanting to allow them to access it just your fault too. Also not only is downloading such as a bunch of files with unknown sources is quite a bit risky too to your security some of them likely contain keylogger and viruses.

Of a truth, this method of phishing might work just right and for those that like everything fancy at that. The fact that it's easy to build is what makes it so dangerous because, tons of it could be created and made available on the playstore.
What people must get to understand is that, everything or at least most comes at a cost. I'm not sure users of this forum would want to go for a fancy keyboard with the level of awareness on scams and hacks. Users don't have time for such intricacies i hope. Should a default keyboard works quite right, just use it than get fooled by some fancy keys.