|
Title: Which is the best to use now? Post by: Drnice on January 20, 2022, 05:44:56 PM I came across this post How to lose your Bitcoins with CTRL-C CTRL-V (https://bitcointalk.org/index.php?topic=5190776.0) in the forum, Which brought a question to my heart, is it better to use the website to download any wallet or exchange application for Android (as it is a normal thing to use for desktop/laptops) or use the Google play store which is now said to have some applications that hijacks clipboard and changes the address to the hijacker's address and when the transaction has been executed, nothing can be done to cancel the transaction (which is normal)?
First Cryptocurrency Clipboard Hijacker Found on Google Play Store (https://www.bleepingcomputer.com/news/security/first-cryptocurrency-clipboard-hijacker-found-on-google-play-store/) A cloned MetaMask away from the original is now a victim from the Google play store. It is said that Quote The first attack method the app used was to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. When BleepingComputer analyzed the app's APK file, we found that the app contains information that can be used to send this stolen data to a Telegram account. How can we ignore these kind of hijacking/malware application as it is now a threat to those who mostly uses Android phones? Title: Re: Which is the best to use now? Post by: LoyceV on January 20, 2022, 05:48:30 PM The basics apply to any OS: don't keep a lot of funds in hot wallets, don't install weird software, install as few apps as possible, or even better: use a dedicated system for your wallet.
Title: Re: Which is the best to use now? Post by: nakamura12 on January 20, 2022, 07:52:36 PM It's up to you as long as the application you want to download is provided by the real site and not from a fake site. There are legit apps on playstore too like ethereum mobile version wallet which I used and I didn't have problem with it. Although, downloading something using browser could also download malwares that you aren't aware of that it is downloaded. Avoid downloading anything you see that it might be helpful but it is not.
Title: Re: Which is the best to use now? Post by: dkbit98 on January 20, 2022, 08:12:54 PM How can we ignore these kind of hijacking/malware application as it is now a threat to those who mostly uses Android phones? Best way is to use custom operating system for Android phones (Lineage, Graphene, Calyx, Divest) instead of default Android OS, but for most people this is a bit extreme step.Regular people that still Android OS should limit the use of all apps and stop using Google Store, but move on some alternative like F-Droid or Aurora Store. Anything related with cryptocurrencies should be verified with signature when download from official websites. Electrum wallet have Android OS 5 support on their website, and don't use any unknown crypto apps that can't be verified. You should be much safer after doing this. Title: Re: Which is the best to use now? Post by: _BlackStar on January 20, 2022, 08:15:53 PM -snip-How can we ignore these kind of hijacking/malware application as it is now a threat to those who mostly uses Android phones? If you read the whole thread, then you probably won't have any trouble finding the answer to your question as LoyceV has also added a few ways to prevent this.How to prevent this 1. Don't use Windows (https://bitcointalk.org/index.php?topic=5190626.msg52680459#msg52680459), but we both know you're not going to change that. 2. Check the entire address after copy/pasting, and not just the first few (or last few) characters. Check some in the middle too. That's a lot of work, so chances are you won't do that either. 3. I came up with something else: don't copy the entire Bitcoin address, copy only a part, and manually type the last few characters. Even if the malware exchanges the incomplete Bitcoin address by their own, your wallet won't accept the (invalid) address if you've typed a few more characters by yourself. You'll still need to follow Step 2 after this: check the address! 4. Use copy/paste to verify part of your address. Suppose you want to send funds to address 1PjpEgknyKxQKXtMcYFDym8odkfohFGkui. After copy/pasting, select "yKxQKXtMc" from the pasted address, then press CTRL-C. Then, use CTRL-F followed by CTRL-V to see if the partial address matches the original source of the address. And make sure the source is authentic: email can be spoofed too! 5. I'll add o_e_l_e_o (https://bitcointalk.org/index.php?action=profile;u=1188543)'s suggestion here: Any time I am sending coins from any wallet I physically place the address I know is correct directly from the source, right next to the address I have entered to send to. That usually means either holding my hardware wallet or phone up next to my computer screen, or resizing two windows on my phone or computer to put the two address physically right next to each other. Once you have two addresses which are less than inch apart, its very easy to check the entire address and not just a few characters at the start or end. If you are using a mobile then you should be able to download the app based on the correct link both in the web store and from the original site. I think the other most helpful advice is to not install unsafe apps for your phone that you use specifically for financial transactions be it crypto or other financial transactions. Title: Re: Which is the best to use now? Post by: Lafu on January 21, 2022, 04:42:27 AM How can we ignore these kind of hijacking/malware application as it is now a threat to those who mostly uses Android phones? I have written back in the days a thread here Clipboard Hijacker Malware Monitors 2.3 Million Bitcoin Addresses (https://bitcointalk.org/index.php?topic=4601535.0)And it wonders me that it have toked so long now that they get at Google Play Store. But as LoyceV already have written : The basics apply to any OS: don't keep a lot of funds in hot wallets, don't install weird software, install as few apps as possible, or even better: use a dedicated system for your wallet. I am already at some point that i dont install a App that is from my work , for the Work. I dont trust it and i only use the in Work PC to check things.Title: Re: Which is the best to use now? Post by: o_e_l_e_o on January 21, 2022, 08:42:36 AM is it better to use the website to download any wallet or exchange application for Android (as it is a normal thing to use for desktop/laptops) or use the Google play store You can make mistakes with both. The Google play store regularly hosts fake and malicious apps which are disguised as the real thing which you can accidentally download. Similarly, there are plenty of fake websites designed to trick you in to downloading fake apps, and these websites will also appear on Google search results. You should never trust an app just because it came from a specific source or what you believe was the legitimate website. Even if it did, websites and servers can be hacked and have the real files replaced with malicious ones.The correct way to ensure your safety is to verify the download against the PGP signatures of the developers or the provided hashes prior to installing. You should download the software in question from the official site on your desktop or laptop, verify the file you have downloaded, and then transfer it to your phone to be installed. Title: Re: Which is the best to use now? Post by: pakhitheboss on January 21, 2022, 09:26:44 AM I came across this post How to lose your Bitcoins with CTRL-C CTRL-V (https://bitcointalk.org/index.php?topic=5190776.0) in the forum, Which brought a question to my heart, is it better to use the website to download any wallet or exchange application for Android (as it is a normal thing to use for desktop/laptops) or use the Google play store which is now said to have some applications that hijacks clipboard and changes the address to the hijacker's address and when the transaction has been executed, nothing can be done to cancel the transaction (which is normal)? First Cryptocurrency Clipboard Hijacker Found on Google Play Store (https://www.bleepingcomputer.com/news/security/first-cryptocurrency-clipboard-hijacker-found-on-google-play-store/) A cloned MetaMask away from the original is now a victim from the Google play store. It is said that Quote The first attack method the app used was to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. When BleepingComputer analyzed the app's APK file, we found that the app contains information that can be used to send this stolen data to a Telegram account. How can we ignore these kind of hijacking/malware application as it is now a threat to those who mostly uses Android phones? That is why it is always recommend to store cryptocurrency in a cold wallet for long term hodl. Another important information that has been informed through various post on this board is to avoid Google Play Store and visit wallet website to get the download link. Also always ensure that you are visiting the correct website by checking the url. Always keep your mobile device update and donot install unnecessary apps. Title: Re: Which is the best to use now? Post by: NeuroticFish on January 21, 2022, 09:32:58 AM is it better to use the website to download any wallet or exchange application for Android (as it is a normal thing to use for desktop/laptops) or use the Google play store which is now said to have some applications that hijacks clipboard and changes the address to the hijacker's address and when the transaction has been executed, nothing can be done to cancel the transaction (which is normal)? The way I usually do is: * going to the wallet software's web page and get from there the link to the correct app on Google Play store * always using hardware wallet with my funds on Android * always double checking properly the addresses involved in the transactions Title: Re: Which is the best to use now? Post by: LoyceV on January 21, 2022, 10:24:11 AM The way I usually do is: Does that mean you bring your hardware wallet with you, or do you not use the mobile app "on the go"? The reason I have a wallet on Android is for the (rare) opportunity when I can pay with Bitcoin, and I want to leave my hardware wallet safely at home.* ~ * always using hardware wallet with my funds on Android Title: Re: Which is the best to use now? Post by: NeuroticFish on January 21, 2022, 10:32:28 AM The way I usually do is: Does that mean you bring your hardware wallet with you, or do you not use the mobile app "on the go"? The reason I have a wallet on Android is for the (rare) opportunity when I can pay with Bitcoin, and I want to leave my hardware wallet safely at home.* ~ * always using hardware wallet with my funds on Android Yes, I bring it with myself. Imho the point of HW is safety and convenience. With so many horror stories related to HWs (yes, mostly stupid user errors, but still...) I would not keep all the eggs in that basket. The HODL amounts can stay completely offline - from a private key or seed written onto paper to a completely offline cold storage or another HW. But one HW is meant to go out with you. At least this is how I see the things. Title: Re: Which is the best to use now? Post by: aysg76 on January 21, 2022, 10:46:57 AM You can make mistakes with both. The Google play store regularly hosts fake and malicious apps which are disguised as the real thing which you can accidentally download. Similarly, there are plenty of fake websites designed to trick you in to downloading fake apps, and these websites will also appear on Google search results. You should never trust an app just because it came from a specific source or what you believe was the legitimate website. Even if it did, websites and servers can be hacked and have the real files replaced with malicious ones. The correct way to ensure your safety is to verify the download against the PGP signatures of the developers or the provided hashes prior to installing. You should download the software in question from the official site on your desktop or laptop, verify the file you have downloaded, and then transfer it to your phone to be installed. Out of them most obvious ones are the mining pool apps or cloud storage apps that makes you fool and hack your system then which is far more dangerous than we think.Some of them are here : Fake apps on Android (https://www.google.com/amp/s/www.gadgetsnow.com/amp/slideshows/2021-recap-8-fake-cryptocurrency-android-apps-that-scammed-users/photolist/88230658.cms) There are fake one's on IOS too and one famous was Trezor app that presented to be the legit one hardware wallet app but in actual it was scam and only one user was unlucky to fall victim of that scam and he commented out that : Quote Christodoulou isn't the only person to fall victim to the scam; Georgia resident James Fajcz also told the outlet that he lost $14,000 worth of Bitcoin and Ethereum to the fake app. https://i.ibb.co/4gvkP6D/Es-Am-Van-WMAA58-Nf.jpg (https://ibb.co/qFq6kt4) So people need to have an extra security measures as you have mentioned and verify the softwares before installing them in your system which will protect you from any kind of big scam. Title: Re: Which is the best to use now? Post by: LoyceV on January 21, 2022, 11:23:32 AM But one HW is meant to go out with you. At least this is how I see the things. Aren't you afraid showing a hardware wallet in public is like waving a thick wallet filled with cash? Anyone with a $5 wrench in their pocket can't see how much is on their, but they might want to find out.Title: Re: Which is the best to use now? Post by: NeuroticFish on January 21, 2022, 11:33:58 AM But one HW is meant to go out with you. At least this is how I see the things. Aren't you afraid showing a hardware wallet in public is like waving a thick wallet filled with cash? Anyone with a $5 wrench in their pocket can't see how much is on their, but they might be curious.I have a Nano S which imho looks too much like an USB stick. Not fancy at all. And if one (with a 5$ wrench) is watching, he'd already know when I ask to pay with bitcoin... While I do carry it with me, I didn't have yet the opportunity to take it out and pay. At all! (I've done some typical transfers from the safety of my car or room though.) I've even took it with me abroad in holidays, still no chance. And now, with the pandemic, it's even worse, since I get out much less often. So maybe when the opportunities will exist and I'll get to experience this for real, maybe I'll get to change my mind. Title: Re: Which is the best to use now? Post by: Drnice on January 22, 2022, 09:33:36 PM The basics apply to any OS: don't keep a lot of funds in hot wallets, don't install weird software, install as few apps as possible, or even better: use a dedicated system for your wallet. I think using a dedicated system (either a phone or laptop) is more preferred and safer. Though, someone talked about using Ubuntu operating system or other Android OS. It is good to use new technology, but one will have to take time to learn how to use. The time I first ran Ubuntu on my system, it was fun, but I was more like a novice learning computer afresh, and I can't go into the market with that so I don't get myself messed up. I make use of phone more often than laptop/desktop (which is once in a while), that is why I am more curious about the mobile version of everything we are talking about. Title: Re: Which is the best to use now? Post by: PX-Z on January 23, 2022, 03:53:59 PM How can we ignore these kind of hijacking/malware application as it is now a threat to those who mostly uses Android phones? Be knowledgeable. In any mobile phone digital distribution service whether app store or play store, it's easy to recognize a fake to the original. Check reviews, number of downloads, the developers, check the link of the app, using the "share" feature in the upper right, mostly the URL is simply written with its website "play.google.com/.../?id=io.metamask", fake ones have different characters on it. Also check the app website if it redirects on the same play store page. Use adblockers either on mobile browsers and desktop too, firefox has lots of security features, mobile or desktop, just enable it and use "strict". Title: Re: Which is the best to use now? Post by: tranthidung on January 23, 2022, 05:05:19 PM To download applications (wallet or exchange applications), you must download them from official websites. It will lead to another question, how to know official websites?
If you are newbies in crypto, first two websites you can use to search for projects and related links exclusively links for website. If you are careful, you can double check given links from them with links from search engines (Google, Bing, Duckduckgo, etc.)
Above are first good steps to do but not enough. In crypto, don't trust, verify. After you download a wallet, you must verify it. What is purpose of wallet verification step? To check and make sure the wallet you download are real, not phishing one. Don't trust given link from any source, always verify it. Title: Re: Which is the best to use now? Post by: hatshepsut93 on January 23, 2022, 11:21:12 PM Mobile apps rarely publish their installation files on sites and instead rely on phone's store applications like Google Play. Metamask for Android, for example, doen't have any releases on their Github page, only a guide how to build it from source, which is not something a newbie would do, and potentially it's less secure than just getting the app from app store.
Just use some common sense, if it's a popular app but the first search result leads to an app with only thousands of review, then it's probably a malicious copy. Carefully examine the results your app store gave you before installing any of them. Title: Re: Which is the best to use now? Post by: Drnice on January 31, 2022, 11:50:55 PM Quote In any mobile phone digital distribution service whether app store or play store, it's easy to recognize a fake to the original. Check reviews, number of downloads, the developers, check the link of the app, using the "share" feature in the upper right, mostly the URL is simply written with its website "play.google.com/.../?id=io.metamask", fake ones have different characters on it. Also check the app website if it redirects on the same play store page. Use adblockers either on mobile browsers and desktop too, firefox has lots of security features, mobile or desktop, just enable it and use "strict". Quote If you are newbies in crypto, first two websites you can use to search for projects and related links exclusively links for website. If you are careful, you can double check given links from them with links from search engines (Google, Bing, Duckduckgo, etc.)
Above are first good steps to do but not enough. In crypto, don't trust, verify. After you download a wallet, you must verify it. What is purpose of wallet verification step? To check and make sure the wallet you download are real, not phishing one. Don't trust given link from any source, always verify it. I have been using these two websites, mostly CMC for price and some newly launched projects. I also use it to get the projects official website, and the exchange at which the project is listed. I think what I need to do is to be more observant than before. Title: Re: Which is the best to use now? Post by: 7deadlyBTCIN on February 01, 2022, 03:46:33 AM This have been discussed few times before, people really need to stop using playstore to search for wallets to download, you can easily install the fake one and lost your coins in the process, it's safer to always go through a project website for downloading their wallet, if it's available on playstore you will be redirected there.
Title: Re: Which is the best to use now? Post by: Mpamaegbu on February 01, 2022, 04:11:33 PM https://i.ibb.co/4gvkP6D/Es-Am-Van-WMAA58-Nf.jpg (https://ibb.co/qFq6kt4) I wouldn't touch anything that has to do with apps in Satoshi's name because instinct would tell me it's a scam. How will a man who doesn't what to be found now make apps in his name a decade later. It's pure scam but sadly people don't like having a second thought around stuff like that before downloading them.Relatedly, this relaxed check by Google on apps that get get into its playstore is becoming worrisome. I use apps from playstore a lot and I'm saddened by the fact of the preponderance of scam apps there now. This will definitely cause Google to lose trust and patronage if it's not tackled and corrected quickly. Title: Re: Which is the best to use now? Post by: LoyceV on February 01, 2022, 04:23:04 PM I wouldn't touch anything that has to do with apps in Satoshi's name because instinct would tell me it's a scam. How will a man who doesn't what to be found now make apps in his name a decade later. It's pure scam but sadly people don't like having a second thought around stuff like that before downloading them. I always considered "SatoshiLabs" to be a tribute to Satoshi Nakamoto, I never got the impression they claim to be Satoshi.Quote I use apps from playstore a lot and I'm saddened by the fact of the preponderance of scam apps there now. That's one of the reasons I install as few apps as possible, and give my phone access to as little data as possible. Even better: use a separate (old) phone for certain apps.Quote This will definitely cause Google to lose trust and patronage if it's not tackled and corrected quickly. I don't think they care. Just like they don't remove phishing sites from their advertising when reported. As long as they earn from it they're not in a rush to to clean it.Title: Re: Which is the best to use now? Post by: Mpamaegbu on February 01, 2022, 05:15:45 PM ~snipped~ I always considered "SatoshiLabs" to be a tribute to Satoshi Nakamoto, I never got the impression they claim to be Satoshi.Quote That's one of the reasons I install as few apps as possible, and give my phone access to as little data as possible. Even better: use a separate (old) phone for certain apps. I should embark on this as a matter of principle, going forward.Title: Re: Which is the best to use now? Post by: o_e_l_e_o on February 01, 2022, 08:07:47 PM Though in my watch on downloading anything from Google play store, I don't miss the review and number of downloads. Such things are almost meaningless. It is trivial (and not that expensive) to buy tens of thousands fake downloads or fake reviews on any platform. You really should not be basing the security of your coins on which app has the most downloads.Well, it's obvious now that it wasn't their intention as a tribute to the noble one. It's just a gimmick to get unsuspecting public into their web of deceit. I mean, in general I would agree with you, but SatoshiLabs are the company behind the Trezor hardware wallet, who also wrote BIP39 and BIP44, which give us seed phrases and the structure of HD wallets respectively, and are used by almost every wallet in existence. They are not a shady company by any means. Just because some scammer has used their name to trick newbies in to downloading their fake app, doesn't mean the real company are somehow implicated.Title: Re: Which is the best to use now? Post by: Odusko on February 01, 2022, 09:10:35 PM I came across this post How to lose your Bitcoins with CTRL-C CTRL-V (https://bitcointalk.org/index.php?topic=5190776.0) in the forum, Which brought a question to my heart, is it better to use the website to download any wallet or exchange application for Android (as it is a normal thing to use for desktop/laptops) or use the Google play store which is now said to have some applications that hijacks clipboard and changes the address to the hijacker's address and when the transaction has been executed, nothing can be done to cancel the transaction (which is normal)? There are a lot of safe apps that we can use in order not to loose our wallets,apps like coinbase- it is android app and its very safe,First Cryptocurrency Clipboard Hijacker Found on Google Play Store (https://www.bleepingcomputer.com/news/security/first-cryptocurrency-clipboard-hijacker-found-on-google-play-store/) A cloned MetaMask away from the original is now a victim from the Google play store. It is said that Quote The first attack method the app used was to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. When BleepingComputer analyzed the app's APK file, we found that the app contains information that can be used to send this stolen data to a Telegram account. How can we ignore these kind of hijacking/malware application as it is now a threat to those who mostly uses Android phones? Spare- it helps bitcoin holder to turn their bitcoin to cash easily without entering bank or using ATM. you can also use cold wallets Cold wallets are not liable to internet,like hot wallets because hot wallets are liable to cyberattacks. Its advisable to use cold wallets instead of hot wallets. And we should try not to download apps that can exposed our devices into danger. |
