Bitcoin Forum

hello,


On 28feb2022 I get hacked, 2.4bitcoin  from coinomi android wallet got  stolen.
It's an old Android 7, Samsung Galaxy s6edge (no root).
In 2017-2019 I use Coinomi wallet to store my bitcoin because was simple  easy to use.
In summer 2019 I decide to use that phone only like a "cold storage" I have coinomi app, windscribe vpn and google apps. I choose that because was simple , once a month I power the phone do the update on coinomi and the other apps  checking the wallet and shut it down.
The Coinomi wallet do not have the BIP39 passphrase implement ate at that time but I secure the wallet with a passowrd , with a pin number in case somebody had the phone to be hard to unlock it.

At the end of February2022 I update the coinomi wallet to version 1.25.2 build 430 core 220 all work fine update done, I check the wallet   the bitcoin was there (I also choose the feature " Mark do-not-spend " in case somebody open  the wallet   no amount was display ) but today I check the address of my wallet (I have it saved in tor browser  to be simple to check the utxo ) and I see the coins  were moved  https://oxt.me/transaction/812f73d94bc1eb029e72930427ea27bee4e668accaad4d3fc167a24f1de364a5 (https://oxt.me/transaction/812f73d94bc1eb029e72930427ea27bee4e668accaad4d3fc167a24f1de364a5) how can this happen ? since nobody have access to the phone.
The seed was stored on paper ,nobody  see it ,plus I wrote the words  in other order so only I  can  know the right order.

I'm sure something was wrong with the update since is noot an open source wallet  nobody knows what that wallet can  send out butt I think the wallet send the seed out to somebody because  passed 3 and half years  and  the seed was safe inside it only know happen..only after the update.



After 5 hops I saw the bitcoin Is sent to Binance exchange address https://oxt.me/transaction/2984598d66601f7cf922f819b32da464733ec00bd5e71ce76ca6627fdc97e38f  (https://oxt.me/transaction/2984598d66601f7cf922f819b32da464733ec00bd5e71ce76ca6627fdc97e38f)   I do not have a binance account but I chat with them to the live chat:

Greetings from Binance security team! We are very sorry to hear about your situation. Upon checking we have found that the funds are in Fixed Float wallet.
The funds appear in the blockchain to have been sent to Binance because Fixed Float is a Binance Broker, this means it is another company that has a wallet with Binance for its liquidity and order book. This broker has many users, so we don't know the exact end user who received your stolen funds, we only know the funds were transfer to the Fixed Float hot wallet.

I know fixedfloat is a noKYC exchange own by russians and many bitcoins come and go to  the Hydra Market.





I talk on telegram with the support guy named  Angelo and via  support ticked but they say that the wallet is working perfect and they are on the market since 2014 and  nobody have issues, some years ago I remember a guy that also lose funds from coinomi desktop wallet was a big fuss then but nobody believe it neither I  but now I think something is not ok.

My question is  how can somebody take  the seed from the wallet if that wallet was shut down 95%  of the time since summer 2019 ?

I was careful  with the coinomi app , always FORCE STOP and only open the app if  the VPN was on.

For me is very strange that my bitcoin was stolen after the update.
That update had something that read the seed and sent it out, I can't see other explication.

I just wanna share my experience , I do blame the guys that work on Coinomi , they always say the wallet is safe nobody lose funds it's impossible to be able to see your seed but the app is not open source so how can this be true ?

Via support ticket they wrote me this:

After looking through the details given we can confirm the transaction was sent from a device where Coinomi was installed. However, due to the nature of cryptocurrency transactions we cannot say 'whom' made this transaction since we are a non-custodial wallet software which means we do not track any sort of user data.

Coinomi is one of the most widely known multicoin wallets and also one of the easiest to use. This means it is more likely than you think for someone to select to restore any seed into Coinomi
Please could you tell me, do you access the app from the same IP all the time? Do you use a VPN?




FixedFloat reply via email:

We're sorry that you were subjected to theft of funds.

FixedFloat is an instant non-custodial exchanger. After the receipt of funds and the receipt of the required number of confirmations, the exchange takes place immediately.

We do not require any personal data for the exchange. We can only request a search of the server logs (IP, user-agent, language) from our technical specialists. But we need an official request from your regional police or other representative, from their official email address in order to issue confidential information.
After receiving an official request from law enforcement, we will be able to send server log data and order data.

Unfortunately, this is the maximum we can help in this situation.


I post this  story on reddit they close the post, If i wrote on they telegram group they tell me to stop because the wallet is good.

I think was an inside job.. or can somebody tell me how the hacker get the seed from a wallet that is  power off almost  all the time?




One of the biggest loss of my life.


Here you can see how the hacker move the bitcoin

https://i.ibb.co/5szDzzL/1.jpg

https://i.ibb.co/HK90fHM/2.jpg
https://i.ibb.co/8gQDdJv/3.jpg
https://i.ibb.co/P6dH56n/4.jpg
https://i.ibb.co/Lx0DvDy/5.jpg

Binance support
https://i.ibb.co/M5m8qbz/b1.jpg

https://i.ibb.co/v3rYFNH/b2.jpg

And the wallet screenshots
https://i.ibb.co/gyPVLzg/Screenshot-20220302-005159.jpg
https://i.ibb.co/pWB3tTK/Screenshot-20220302-005357.jpg

Do you already run an audit on your phone to look for a potential malware? There’s a lot of same issue like you with Coinomi especially wallet with huge amount of Bitcoin that dormant on there wallet but since Coinomi is a non-custodial wallet, its very hard to accused them stealing your money since you are the holding your private key. Jut follow there suggestion to report this to law enforcement so that they can easily request files the company that received your Bitcoin.

Invest on hardware wallet like trezor and ledger next time if you are holding huge amount of Bitcoin to a none open source wallet. Sorry for your loss mate.

The law enforcement don't work where I am from east europe.

I don't accuse them of stealing but something is shady

the bitcoin was moved after the update , ~3years was all fine if somebody have the seed  they they took it at that time when they get it not after some time.
This happend after the update, somehow the seed was send out from the wallet.


I scan the phone with Malwarebytes   no issues.

https://i.ibb.co/8PH0g07/malware.jpg

I do have a ledger but not I don't have coins to put on it .

Maybe this, i never believe a VPN because they can access our hanphone and internet trafic to keep your data. You have also ask the VPN provider, and let me know what VPN do you use?

windscribe.com  VPN I use
they do see the traffic of my  account but how can they enter in wallet and see the seed ?
The seed is AES256 encrypted as coinomi said
https://i.ibb.co/LrcRWnW/coin.jpg

I totally understand your point since the fund was safe for over 3 years of being dormant. If you are sure that you didn't browse any malicious website before the hacking event then Coinomi system has some bug on there update which we can't verify since they are not an open source code. The best thing to do is to gather all the complainants in different forum and social media outlet  to raise concern to Coinomi, The way they are using there Company as answer to your complaint is a bit shady for me. They should give you a technical investigation report to prove that there system has no bug for a potential leak of data.

Since Coinomi is closed source, shady and has a history of doing very insecure things such as sending your seed phrase to a remote server, we can not know what actually happened or whether your seed is correctly encrypted with AES256. Their implementation could be flawed which could allow decrypting the file easily by exploiting it. Or maybe they are sending your seed out to a remote server again that was stolen on its way out!

Probably try reporting to the authorities. You've probably lost enough money to make hiring a lawyer worth it.

But really mate. I wouldn't want to kick you down as you've already lost money, but with 2.4 BTC why don't you have a hardware wallet? And worse — of all choices, you've decided in using a closed source wallet software.

in 2017-2018 when I stas that bitcoin was not a big deal.. I DCA each month..bitcoin was under 10k
I keep it there because I think was safe..and it was till the shit happen.

This is what I try to do...just tell what happen to me.

To open a wallet a PIN is needed   , before sending a transaction there is a password that need to be input, the hacker somehow bypass all those..I conclude that the wallet sent the seed out to those who make the upgrade.

So your 2.4 BTC was worth like 24k back then because bitcoin was cheaper. But then, I assume you invested your money because you think bitcoin was going to be more expensive in the future? And then it actually did. You should've taken a lot of extra safety precautions.

But yea, what's done is done. Hopefully you've learned your hard lesson mate; make sure it doesn't happen again in the future if it's the case that you want to invest again. Lot's more future opportunities so don't bring yourself down too much on this. Best of luck!

Also, probably read about wallets: https://cryptosec.info/wallets

Better to invest in something more secure, like what mk4 has said; having a hardware wallet would be the best decision you'll make when you invest in the cryptocurrency world.

Thanks for sharing this OP; I was pretty comfortable knowing that air-gapped phones are safe, but I'm not so sure now. It's hard when you do updates. It might have become the entry point of hackers etc. I hope somehow you can recover some of it or something.

The point of cold storage is to never ever go online. This also means no more updates.
So airgapped cold storage going online for updates is a total mistake and a complete misunderstanding on how cold wallets should work.


I remember another hacked user some time ago claiming that he was having a cold wallet which he used to go online only for short time when making transactions.
This case is not much different.

As soon as the cold storage is online, it's hot wallet and no longer cold wallet, never ever.

It needs only a millisecond of being online to get all the funds lost, especially if certain malware was operating there for long time before and nobody knew. In the (milli)second it went online it could "call home" and expose private keys, seed, or even transfer the funds away (but the hacker can transfer the funds himself later after receiving the seed or private key)

The only way you can find out what happened is to have very professional people inspect your phone, but such things are very expensive and I don't believe you could afford the extra cost after all.

By analyzing the things you did on the phone, maybe we can go in the direction that during the update Coinomi picked up some malware/keylogger that took advantage of a flaw in your relatively outdated OS and remotely emptied your wallet, and you only realized it when you reopened it. Yet you may have shared the fate of those who also claim to be victims of the senseless business policies that Coinomi has (or had). If you had at least been aware of it before, you might have acted differently.

Coinomi is awful. It is closed source, and sends seed phrases in plain text to third party Google servers to be spell checked. Your coins could have been stolen this way.

Windscribe is awful. It is a free VPN, which means it is probably spying on you. They are also very amateurish, going as far as failing to actually encrypt any of their servers meaning that all data could be intercept and read, as well as running long outdated software which had been deprecated because of critical security risks. For example: https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/

You have unfortunately used a terrible wallet and a terrible VPN on a long outdated phone (which will also be vulnerable to security flaws), and it is also not a cold wallet as you state. Doesn't matter if you only go online once a week, once a month, once a year - as soon as you go online once, it is no longer a cold wallet.

There are lots of potential ways your coins could have been stolen here, and it is unlikely we will ever know the exact method.

Registered just to correct something here. That statement about Windscribe isn't correct and is dated. Windscribe disclosed voluntarily that they had servers seized and a potential vulnerability. It's a misconception due to poor reporting that "no servers were encrypted" as no data was stolen or left unencrypted. The comment by Yegor explains it in detail in that article you linked. Windscribe is a paid VPN service with free plan option.

Either way that sucks for OP. You must be going through a lot of emotional distress right now. You need to clean those devices and move services. If you don't trust Windscribe then look at these they recommended: https://blog.windscribe.com/how-to-pick-a-good-vpn/

All of them in that list are top-tier.

This is another proof that you cannot use a cell phone to store bitcoins. If you like wallets on your cell phone, then you need to use through a hardware wallet. Any software wallet is unreliable and can be hacked. I don't use my mobile phone to store cryptocurrencies at all.

There are many misconceptions here, and a small research could have saved your money.

First of all, VPN do not increase security, but a bad VPN might even be bad for it as o_e_l_e_o pointed out. Aditionally,  this is more than  enough money just to buy a hardware wallet (less than 50 usd) which  was designed to secure your coins

A cold wallet is just a wallet which never connects to internet.

You never had a cold wallet. Once your your was created using coinomi,  that seed was already exposed to an online environment.  Installing it in a new phone, downloading a VPN, etc just reduced it security.

The correct procedure would be to buy a hardware wallet (or create a paper wallet  , but you lack knowledge for that) and then transfer your funds from coinomi to that new wallet 

Oh my god, now that's something we don't get to read everyday. OP, are you sure you updated the wallet from a genuine source ?
You should always updated your apps only from playstore/app store and I hope you did the same.
But in that case how can one possible hack your coins. Are you sure you didn't visit any maliciuos website through your phone.


Now I am being a little concerned here because I have my coins stored on a smartphone wallet.
But I am using Mycelium which is an opensource wallet for storing bitcoin and Exodus for altcoins which is partiall open source.
At the same time the phone is completely separate and has no other apps installed. I don't use it for anything at all.

If you have several thousand dollars in your wallet and you constantly trade from your mobile phone wallet, but I would not keep more than 10,000 dollars in a mobile wallet.
If you store coins, then you can use the Ledger or Trezor, and if you like trading, then read about SafePal. You will get the opportunity to trade without KYC on binance.

I trust Windscribe  I use it from 2017 , free account but I mine and my limit is 50gb per month more than enough , on the phone I have  an account without email with 2gb traffic/month
I don't think the VPN is the problem... if they hack my phone they have lots of opportunity since 2019 because Coinomi have enough updates in last  year.

I have always used the theory that the coins on your phone should never be worth more then your phone.
But that's just me.
I use Coinomi on my phone to store a bunch of alts that I have accumulated over the years. Since my phone is older and worth less, and overall crypto is up in the last couple of days I am in violation of that but it's still under a couple of hundred dollars.

And as others have pointed out you are on a old phone with known vulnerabilities that were never fixed.

https://www.firstpost.com/tech/news-analysis/google-finds-11-vulnerabilities-in-the-samsung-galaxy-s6-edge-eight-fixed-3673083.html
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=galaxy

They, and it's not just Samsung its all phone makers, just let the old hardware sit forever with known issues because they just don't care.

-Dave

i wouldnt store any significant amount on a phone.

that being said ive used mycelium for years on my daily driver android phones that are on 24/7 (and that are always fully patched and running the latest OS that are supported) and never had a problem, but its just very small amounts of btc and im fully prepared to lose it at any time due to whatever reason (hacks/stolen/wallet goes bad/whatever).

hardware wallets for the win. paper is good but only use them if you know what youre doing.

Hacked is a serious problem in cryptocurrencies, cases of hacked private keys, hacked accounts on exchanges and many more make us to be alert, few days ago my Google metamask was also hacked and made me lose around $500 and the best thing is to create a wallet then we write private manually on paper, make sure there is no internet connection then we take a photo and save the data.

Hi there, As we and other have explained here each and every transaction from the app requires confirmation of your password before being sent (your private keys are kept encrypted at all times with the password, so even if the app wanted, it would not be able to decrypt the keys without the password).

Unauthorized transactions can only be made by a) someone who has access to your seed phrase, or b) someone with access to your device and knows your password. There is no other way. We occasionally receive news of users having their email accounts hacked, giving attackers access to their seed backup files kept on their email or other cloud service. Please review your seed backup security, try to remember if you ever entered your seed on any other wallet, website, form, notes tool, etc; or check if anyone could have accessed the app on your device and knows your password.

One thing which concerns us the most is the use of the VPN on a device you claim is "connected to the network once a month to update" and is only used for coinomi. This does not ring true with the evidence you posted here, it shows you have 300+ applications on your device which would suggest some daily use on this device. With this many apps it is becoming increasingly likely that one or more of those apps are possibly stealing data from your device or logging some of your activity. This coupled with the age of your device OS is a huge cause for concern.

We highly recommend you file a report with your local police/cyber crime unit so they can begin the task of reaching out to exchanges and centralised services in the hopes of blacklisting the funds for you whilst investigation takes place.

Kind regards.

The fact remains it shouldn't have happened at all. They were running out dated software, they left some servers unencrypted, the stored private keys on those unencrypted servers. There were a number of pretty basic mistakes that all had to made to lead to this situation.

I don't trust free VPNs as a rule of thumb. Combine this with the fact that Windscribe have only very recently open sourced their desktop application and their mobile and router applications remain closed source, and they have never been subjected to an independent audit (please correct me if I'm wrong), means I would not use them and would not recommend them. I'd be happy to reconsider my position in the future if and when these issues are addressed.

Don't do this. As soon as you take a photo of your seed phrase, then you have opened it up to compromise. Your seed phrase should be written down on paper only, not stored electronically.

Guess we'll never know since most of them will be closed source, just like your wallet.

This comment is complete FUD. There was an incident in 2019 with our initial DESKTOP beta release only (so irrelevant to this case) which was fixed and there is a report to confirm this as not a cause for any user to have lost funds: https:/[Suspicious link removed]/VZQAotXNrJ

We are reviewing our decision to be closed source and hope we can move to an opensource model in the near future. That being said opensource does not mean 'safe' it just means the code can be verified and compiled from source. We are open to any official request to review and verify our source code by reputable code reviewers.

Given the number of users we have we would expect thousands of users to come forward with the same issue after this update if that was the case. We are more than happy to respond to any official request to review our source code by reputable companies. We are also reviewing our decision to be closed source with the preffered outcome to be open source again.

I am happy to see you are reviewing your closed source policy.

Coinomi was the second wallet I ever used, since 2017, and I still use it today. It is a wallet that serve my needs in my mobile device.

IMO, a mobile wallet is always unsafe and I agree with DaveF, no one should keep coins that are worth more than the mobile device in a mobile wallet.

I will add one more suggestion to Coinomi: Make it hardware wallet compatible, like electrum/metamask/etc

If your wallet become open source and hardware wallet compatbile, it will make your wallet one of the best in the market.

I hope you learnt some valuable lesson here ...

1. Use services that use OpenSource software that are Peer reviewed by independent developers. (They cannot hide backdoors)
2. Do not use FREE VPN's with unencrypted data
3. DO NOT use old phones with outdated software
4. Store large amounts of coins on hardware wallets (They are not expensive)
5. Do not store all coins on one platform or device (A single hack can clean you out)

I have to say one thing.... You did a lot of research and you were able to track the coins ....many people cannot even do that.  ;)

I think what happened to the OP is no different from what happened to a coinomi user in 2019, a user named Warith Al Maawali has claimed that he lost nearly $60 thousand in assets due to a bug that occurred in coinomi, thus causing the user key or passwords are read in plain text and leaked to other parties so that they are easily accessed by third parties, I think coinomi might again need to review their current server security and if it does have a bug it's better to fix it immediately so that trust from user in coinnomi can be high again .

We'll all just have to take your word on that, since your software is all closed source and we have absolutely no idea what it is doing with seed phrases. And if you are so sure that no user could possibly have lost funds via this method, then why did you tell everyone who might have been affected at the time to create a new wallet and send their funds to it? And how could you possibly say that seed phrases sent to Google definitely did not result in the loss of funds? Did Google let you audit their systems?

Plenty of people on this forum would love to take a look at your code. Please share some links.

I express my deepest sympathy to you. It's very unfortunate that this happened to you, especially when the price of bitcoin is so high that you can really get depressed because of this event. But I'll tell you what - many people, for their own reasons, often threw away their old computers and laptops and then realized that there was a fortune left in bitcoins. I think that you should not think about it a lot - you need to live on and get the most out of your situation. Thanks for sharing your story.

I don't trade much and even I do, I use binance for that purpose and have some balance left in the exchange for trading.
Although the amount is not more than $10,000 all the amount that I hold in the smartphone wallet is for long term.
I am planning to delete the smartphone wallet from my phone now since I already have the backup of the seed.
For monitoring the balance I will just look it up on the explorer.

The Op makes a big mistake because mobile wallets are never going for long-term holding and most wallet providers may not tell you this but it's the truth. According to the research conducted by the Computer Science and Engineering - Michigan State University.
It shows that mobile wallets are deemed to face a lot of security threats of

 (1) Deanonymize of user real identities, Bitcoin addresses, and transactions,
(2) Introduce continuous unwanted Bitcoin spamming traffic towards victims
(3) launch Bitcoin fraud attacks to take advantage of Bitcoin wallet users
You'll find the pdf file here (https://www.cse.msu.edu/~xietian1/paper/Hu-Codaspy21.pdf)

It is just like the saying "there's no smoke without fire" what you just said now is another human error that will lead wallet hack and I believe this is one of the reasons why your Metamask wallet was hacked.

This is a strange incident and i am really worried that if this could happen with Coinomi wallet, then other non-custodial wallet are also not save ?
Which non-custodial wallet is best for saving the bitcoins other than the hardware wallet ?

Also do you think that it is a flaw in the Coinomi wallet or was it something related to any malware/virus in the phone which caused this hack ?

Wait, private key? The one which composed of a long characters? But, they are too much for you to write manually and what if you missed one letter or you didn't capitalize some of them? But, you're going to take a photo with it anyway though taking a photo or a screenshot of our private keys is not also recommended because someone can browse your gallery.

You have been hacked because maybe you have clicked on the random links which promise you to earn some money or maybe you are going to use a known website but you didn't check its url and you got phished. Storing your keys in an offline environment is much safer though.

Isn't it applicable to air-gapped laptops that you can update offline? Like, download it into a flash drive then just update the software? I was thinking of the same thing when it comes to air-gapped phones. So updates don't necessarily mean connecting online.

Good lesson for others not to use your phone as cold storage. Paper Wallets (private key written down) are the way to go.

Updates usually happen online. I don't know if not rooted smartphones can be updated offline at all. So I find your case rather unlikely. Not wrong, but rather unlikely to be used.

Also, I don't see why would update be needed at all. If that's a cold storage, you most probably don't use it for anything else. Since it's offline, newer/safer versions of whatever are not needed.
Imho the only case an update would be needed is that the wallet software made a significant leap and the older transaction files no longer work.

And in such a case (you want to update anything) my advice is wipe the disk (not just reformat), reinstall everything fresh, go offline for good, then restore wallet from seed.
And this won't work with a smarphone-as-cold-storage since "reset to defaults" simply cannot be trusted it will properly clean, hence it's a risk. So for this case some cumbersome solution is needed, probably consisting in a separate safe cold storage and 2x fund transfers for the update to be done properly. And yes, this means the initial cold storage is considered compromised (again, this is only in case of smartphone).

I scan my phone with 4 anti viruses app , no viruses at all

https://i.ibb.co/hHQQy3M/antivirus-4.jpg
https://i.ibb.co/Swj1JtW/antivirus-3.jpg
https://i.ibb.co/hMJZ328/antivirus-2b.jpg
https://i.ibb.co/BTBkYjv/antivirus-1.jpg


with "no root firewall" app  I check where coinomi connect, on which ip's.

https://i.ibb.co/jDW0RJs/coinomi-connect-ips-a.jpg

the ip  https://whatismyipaddress.com/ip/188.144.96.7 (https://whatismyipaddress.com/ip/188.144.96.7)  looks kinda strange

ps:one of coinomi moderator from  reddit ask me to remove the ip address from the comment!

The funds have moved to Binance is a bit of a claim.
yes, one part of the funds have gone eventually to this wallet https://glasschain.org/btc/wallet/111462198
and from there have been moved to binance. However, this wallet was used way before your coins were stolen and much more bitcoin has been moved to binance.

It doesn't mean this wallet owner is the thief. It can be that he just sold something to someone and actually in this case, it can be likely as again, this wallet had other coins in it for years. Btw this can be true before for the hopping. Yes it looks like hopping but you just never know.
In this case though I would say it was just "hopping". which i still don't understand why users do that?

Is there any benefit from hopping? I can't see how this would help to disguise stolen funds. Please someone educate me.

I contact binance on the chat and they said:


Greetings from Binance security team! We are very sorry to hear about your situation. Upon checking we have found that the funds are in Fixed Float wallet.
The funds appear in the blockchain to have been sent to Binance because Fixed Float is a Binance Broker, this means it is another company that has a wallet with Binance for its liquidity and order book. This broker has many users, so we don't know the exact end user who received your stolen funds, we only know the funds were transfer to the Fixed Float hot wallet.

I know fixedfloat is a noKYC exchange own by russians and many bitcoins come and go to  the Hydra Market.

^^
This

Or at the very least, an encrypted wallet.dat
OP I am sorry for your loss, I hate reading these kind of things but you could have avoided this with better security practises.

There is a high possibility of an inside hack from the wallet source as the update may have been built with bugs that allow access to users' wallet security key or phrase, going by ops explanation haven't stored the Bitcoin on that wallet for over three years and losing it shortly after an update of the app is an obvious cause. You need to report this issue to the appropriate security for proper investigation and possible action to prevent future occurrences of similar hacking.

Coin is hard to recover，Buy a lesson. You can't use this wallet to save money. The more functions, the lower the security performance，This is common sense.

Note that that doesn't really make your coins any safer. The seed phrase was already generated in a hot wallet and has been stored on a device with internet access for a period of time. Deleting the wallet app might also not actually delete the wallet file or other data, and it certainly won't overwrite those sectors of your phone's storage. If you want your coins in an offline wallet with the seed phrase only stored on paper, then you need to create the seed phrase and wallet using an airgapped device in the first place.

No wallet can guarantee 100% safety, and every wallet will only be as safe as the person using it. However, any open source software which is extensively and continuously examined by thousands of people, such as Bitcoin Core or Electrum, is likely going to be far more secure than some closed source wallet like Coinomi which makes basic errors such as sending your seed phrase to third parties and not encrypting its communications.

Yeah I agree with you. But don't you think Mycelium and Exodus are relatively safer than other smartphone wallets?
Also, the smartphone is going to stay with me forever. Now since I have deleted the apps I will be completely wiping the data by doing a factory reset.
I guess that will lower the risks when compared to it's previous state.

Wanted to ask you one thing. Even if we buy a hardware wallet from the ledger nano or trezor official website how can we be sure that the device is not compromised on it's way to the customer.

Exodus is also closed source, so no, another poor choice. Mycelium maybe "relatively" safer, as you say, but all hot wallets and inherently more risky than cold wallet or hardware wallet alternatives.

Each hardware wallet has their own way of verifying that it has not been tampered with, from tamper-proof packaging to cryptographically secure handshakes with the manufacturer's servers. It all depends on which hardware wallet you have purchased.

I'm going to take this a step further and go with, don't use phones that have a ton of manufactures bloat and customization on them.
It's just too easy for bugs to be found years after support from Samsung / Motorola / Nokia / whoever has ended.

Stock basic Android is just that, there will be vulnerabilities found over the years after support has ended. But, they will probably not be as big a show stopper as all the added manufacturer and carrier bloat.

https://eprint.iacr.org/2022/208.pdf

-Dave

Just don't use mobile wallets for amounts you are not willing to lose.

Are you comfortable carrying around $50-100 in cash in your wallet? Yes? Then you should be comfortable carrying around 0.001 - 0.002 BTC in your mobile wallet.
Are you comfortable carrying around $10,000 in cash in your wallet? No? Then why are you carrying around 0.25 BTC in your mobile wallet?

I use an open source mobile wallet several times a week. How else am I going to spend bitcoin when out and about? They are a necessity. But I also don't store my entire stash in one, just like I don't carry around all the fiat I own in my pocket at all times, which would be plainly moronic. Put your funds in cold storage, and transfer small amounts to your mobile wallet as and when required.

No, its not just BTC using older phones with all the bloat leaves you with tons of other security issues too.
Password leaks, PII being sent who knows where, etc.

-Dave

Hack and phishing attack is one of the attacks that we need to protect ourselves against be careful on the site you visit as per time if you receive any link make sure to check before you click on them, coinomi is an open-source wallet that guarantees some level of security unless someone has access to your private key and have used it to gain access to the wallet.

Please actually read the thread before hitting reply. There is extensive discussion in the previous posts about how Coinomi absolutely is not open source and has had a number of very significant vulnerabilities in the past (transmitting seed phrases to third parties, not encrypting communications, etc). Further, no wallet can guarantee your security since even the best hardware wallets or cold storage can be used in an insecure way if the user does not know what they are doing.

In a nutshell, if coinomi wallet is used properly and in a secure manner, it is still vulnerable and we can lose our funds? If you can give a short summary on this , it will be really help because i do have coinomi wallet in my phone with little funds.  :(
 

Short Version:

coinomi is closed source so there is no way to know what it is doing in the backgroud
Their desktop version also had a major whoops at one point in time and was sending your seed phrase out to google to be spell checked

Long version, no matter what people tell you phone wallets are vulnerable. Some more then others, but in the end you are reliant on the security of Android or iOS to be safe.

Both have had many many issues over the years are are still shown to be vulnerable to attacks.

Android is a bit worse in some ways since it allows for phone manufacturers to put whatever they want on it, better in other ways since you as the user have a lot more control in what the phone has on it.  iOS is a bit more locked down, but Apple has had their share of security issues over the years and for the most part deny it's a problem till they are forced to fix it.

So in the end they both suck.

Don't store more on your phone then you are prepared to loose.
Or as I said above, as a rule that works for me, I don't store more on my phone then the phone itself is worth.

-Dave