Hackers steal $8 million from users running trojanized BitKeep apps

[PawGo]

Anyone using BitKeep?

Multiple BitKeep crypto wallet users reported that their wallets were emptied during Christmas after hackers triggered transactions that didn't require verification. Company confirmed the problem and linked it to 'unofficial' version of program:

Dear BitKeep users, after preliminary investigation by the team, it is suspected that some APK package downloads have been hijacked by hackers and installed with code implanted by hackers. If your funds are stolen, the application you download or update may be an unknown version (unofficial release version) hijacked.
Now for the safety of user funds, if you downloaded the APK version, please transfer the funds to the wallet downloaded from another official store (App Store or Google Play). In addition, it is recommended to use the newly created wallet address, the address you created through apk may be leaked to hackers.

Anyway - whatever you use, always make some effort to ensure you use the original program, not a hacked copy!

More read: https://www.bleepingcomputer.com/news/security/hackers-steal-8-million-from-users-running-trojanized-bitkeep-apps/

[1715588794]

1715588794

[Husires]

Anyway - whatever you use, always make some effort to ensure you use the original program, not a hacked copy!

Shouldn't the download be verified? If you want to download an APK program, especially since most phones ask you when you want to download any app outside Google play, then you will be more careful.
Or them PGP private key has been hacked.

UPDATE: I visited their site and there doesn't seem to be an option to verify signature.
They have this code https://github.com/bitkeepwallet/download which looks an empty Github URL.

[DaveF]

Something looks off.
They had / have their apps in the app & play store and their github is more or less empty.
So either their github credentials were leaked / hacked and people downloading from there got hit or there were some other links posted someplace else.

However, looking at all their repositories nothing has been updated for a while, but I don't know if the dates revert if you report and incident to github.

-Dave

[so98nn]

What does it mean by “transactions not requiring verification” ? This is crazy, and as normal user or non technical person I’m not sure how to keep my funds secure if there are trojans like these which are able to extract the transactions just like that?

Wow, they are actually developing good trojans but it seems Wallet or App makers are not really making any progress with the security huh?

So how does it work, developers focus more on security breaching viruses rather than getting well paid jobs on the other side ?

[dkbit98]

Anyone using BitKeep?

Nope, and I never heard about it until I saw that bleeping computer article and alleged hack that happened.
I was warning about all shitcoin wallets and bridges for some time, if they don't get hacked they will surely be exit-scammed sooner or later.
General rule is to install minimal amount of Bitcoin crypto apps on your devices and use dedicated laptop computer with Linux OS  to reduce risk of malware and trojans.

[serjent05]

Anyway - whatever you use, always make some effort to ensure you use the original program, not a hacked copy!

Shouldn't the download be verified? If you want to download an APK program, especially since most phones ask you when you want to download any app outside Google play, then you will be more careful.
Or them PGP private key has been hacked.

UPDATE: I visited their site and there doesn't seem to be an option to verify signature.
They have this code https://github.com/bitkeepwallet/download which looks an empty Github URL.

This is one major reason that I refrain myself from using mobile wallets.  It is easy for hacker to hijack the file and since some of the application doesn't have the option to verify the signature.   Though I admit that this is the first time I heard of the application because I am more comfortable using a known Bitcoin wallet and always skip apps that is new to me.

What does it mean by “transactions not requiring verification” ? This is crazy, and as normal user or non technical person I’m not sure how to keep my funds secure if there are trojans like these which are able to extract the transactions just like that?

Wow, they are actually developing good trojans but it seems Wallet or App makers are not really making any progress with the security huh?

So how does it work, developers focus more on security breaching viruses rather than getting well paid jobs on the other side ?

The application is hijacked probably hacker had replaced the original file, so instead of downloading the official application, users downloaded the malwared version giving the hacker full control of the downloaded wallet's operation.

[yhiaali3]

I don't know where users download the virus-infected hijacked APK from?

Something really strange, important files such as cryptocurrency wallet should not be downloaded from any source other than the official version from the App Store or Google Play.

This is clear negligence by users who do not adhere to the most basic safety conditions. Basically, I do not know how these people download an unknown wallet and deposit their money in it???!!!

[julerz12]

It seems those users who got hacked downloaded an infected updated version of their app, quite possibly from another sources, fake ads, telegram posts (their telegram group is a mess), emails, etc.
The Bitkeep team keeps assuring their users that if they have downloaded the app from iOs app store or google playstore, they are safe.
There were also some chatter on their telegram group about the Bitkeep team reaching out to Binance to help freeze the stolen funds sitting in Binance smart chain. Although I doubt Binance would even care.
So far, that's the only remedy they've come up yet and no real info about possible reimbursements to those who got affected.
Lesson: Never store all your crypto in these hotwallets.

[robelneo]

I don't know where users download the virus-infected hijacked APK from?

They should do an investigation could be  hackers created a version of Bitkeep and installed the link going through the scammer's version on the Play store

Something really strange, important files such as cryptocurrency wallet should not be downloaded from any source other than the official version from the App Store or Google Play.

In the article they did not mention the number of victims there are still investors that do not know how to differentiate a phishing link and the official source of the wallet

This is clear negligence by users who do not adhere to the most basic safety conditions. Basically, I do not know how these people download an unknown wallet and deposit their money in it???!!!

It is, you cannot be an investor and a holder without knowing the basics of using a wallet, it's negligence on their part they are lucky if Bitkeep reimburses them its not their part anyway.

[Pmalek]

I don't know where users download the virus-infected hijacked APK from?

If you aren't careful or trust random people on the internet, there are many ways to get infected and phished. Ask about good wallets or exchanges in crypto-related social media channels and groups and you will be bombarded with scam attempts and fake investment opportunities. Many people unfortunately don't realize how dangerous it is to trust such sources. Google isn't helping either with their negligence and willingness to advertise scams on top of search results if you pay them. 

[Rikafip]

Something really strange, important files such as cryptocurrency wallet should not be downloaded from any source other than the official version from the App Store or Google Play.

App Store or Google Play are not good places to download apps either, especially not something as sensitive as a cryptocurrency wallet. While App Store is more security oriented and its much harder to upload a fake app there (but it happens from time to time), Google Play is a scammer's heaven as they are not as thorough as Apple is. Some time ago I started looking for and reporting those but eventually gave up as it was nothing but a whack a mole game.

With that being said, the only place where anyone should download the app is from the official website, but even then you may end up being victim if you click on a phishing website.

[joniboini]

I don't know where users download the virus-infected hijacked APK from?

It would be great if the reports mention detailed information about this. But then if this is not what happened I'm pretty sure people will post on social media rebutting their statement. I'm not sure how APK update work in detail but Android should add something like an update will be rejected if the apk is not signed by the same publisher. This should help prevent installing a fake app on top of the real one. However, no one should rely on this and download/verify the apk themselves.

With that being said, the only place where anyone should download the app is from the official website, but even then you may end up being victim if you click on a phishing website.

Another option would be to build it on your own. I don't think this would become mainstream since a lot of people are using closed-source app nowadays. At the end of the day, every method has its own risk. We just gotta deal with it.

it's negligence on their part they are lucky if Bitkeep reimburses them its not their part anyway.

IMO some people still don't understand what decentralized means. Whether the app is terrible/secure or not, expecting reimbursement from a decentralized wallet app when things go south should not be the guarantee for the security of their funds.

[Pmalek]

I'm not sure how APK update work in detail but Android should add something like an update will be rejected if the apk is not signed by the same publisher. This should help prevent installing a fake app on top of the real one. However, no one should rely on this and download/verify the apk themselves.

Android OS already requires that all applications have to be digitally signed before they can be installed on your device. If there is an update to an already installed app, the OS will check if the new certificate matches the one of the app you already have installed on your phone. If the certificate matches and belongs to the same developer, the update can be installed. If the certificate doesn't match and there is a different signature, you can't update the old app with the same name. But I guess you can install a separate app with a slightly different name, which will be the fake app. The way to get around that is to steal the developers' signing key and release a malicious app by signing it with the correct keys, or if the developer releases that malicious update himself. You can read more about it on https://www.xda-developers.com/application-signature-verification-how-it-works-how-to-disable-it-with-xposed-and-why-you-shouldnt/. 

There is also an option to disable signature verification on Android, but that is an unnecessary security risk.

[Woodie]

BitKeep is being unfair to its users, how the hell do the come to a conclusion that it's users were using third party apps which could be the source of the problem And with these findings they are saying all affected users could actually be Android users and all don't know how to use the playstore which by the way could have warned users if an app was not genuine had they downloaded the so called third-party apps thanks to play protect.... These guys better give a better reason if this isn't an inside job

[Accardo]

What does it mean by “transactions not requiring verification” ? This is crazy, and as normal user or non technical person I’m not sure how to keep my funds secure if there are trojans like these which are able to extract the transactions just like that?

Wow, they are actually developing good trojans but it seems Wallet or App makers are not really making any progress with the security huh?

So how does it work, developers focus more on security breaching viruses rather than getting well paid jobs on the other side ?

The application is hijacked probably hacker had replaced the original file, so instead of downloading the official application, users downloaded the malwared version giving the hacker full control of the downloaded wallet's operation.

The file name was hijacked and a replica made out of the original. It's hard not to see loopholes on wallet apps, since it could be managed by greedy people; a person can betray the team and offer the main file name to the hackers.

I don't know where users download the virus-infected hijacked APK from?

If you aren't careful or trust random people on the internet, there are many ways to get infected and phished. Ask about good wallets or exchanges in crypto-related social media channels and groups and you will be bombarded with scam attempts and fake investment opportunities. Many people unfortunately don't realize how dangerous it is to trust such sources. Google isn't helping either with their negligence and willingness to advertise scams on top of search results if you pay them.  

At first google was wary about cryptocurrency related adwords on their search engine, but such ads are now allowed, which is quite risky for users. Besides, most of these hackers and malicious app owners have authority websites that promotes their links too, which lure people to download their apps on app stores other than google play store. Moreover, android phones like huawei has its app store which seems to be less secured regarding the need of certificates before installing apps. On the other hand, some people are careless about all these requirements, and go ahead to confirm that they trust the app.

 

However, since the current attacks result from users getting scammed by trojanized APKs, it’s unlikely that there will be any refunds.

so since this is as a result of a careless company and uninformed users it's wrong to say that the affected users should be neglected with no refunds, it is suspicious.

Considering that the Company has taken this step to inform users about the hijack, what are their plans of stopping such a continuous attack on affected users, as the news may not get to everybody? The internet is not a place for the less informed, truly. Especially, on the cryptocurrency niche, a group of developers can conjoin and build a project, promote it, gain customers and feel reluctant about their safety. Exposing them to the wild world of hackers.

[fortunecrypto]

BitKeep is being unfair to its users, how the hell do the come to a conclusion that it's users were using third party apps which could be the source of the problem And with these findings they are saying all affected users could actually be Android users and all don't know how to use the playstore which by the way could have warned users if an app was not genuine had they downloaded the so called third-party apps thanks to play protect.... These guys better give a better reason if this isn't an inside job

If there is an accusation of an inside job then the reputation of Bitkeep is in trouble so they are fast to do their investigations and do necessary actions based on this article which I think is a more complete one they are on top of the situation

https://thehackernews.com/2022/12/bitkeep-confirms-cyber-attack-loses.html

As many as five different counterfeit versions of the Android app with the following package names have been identified, suggesting that the apps were potentially distributed through phishing websites. The legitimate package name is "com.bitkeep.wallet."

The Singapore-headquartered company, which was founded in 2018, said it has traced the wallet address used to carry out the theft and that some of the siphoned digital assets have been frozen.
This is not the first time BitKeep has been breached. On October 18, 2022, it disclosed another security incident targeting its BitKeep Swap service that led to losses of about $1 million.

It seems Bitkeep is one of the most targeted wallets and those Bitkeep users should be more educated on how to protect their coins and know the difference between fake and legit wallets, phishing sites are such a big concern in the industry, and only through education can we beat scammers.
This will not end yet as long as people are lax in how they secure their assets, and they are the ones scammers are targetting.

[The Cryptovator]

Bitkeep is something I'm not familiar with. Based on a quick search, they claimed to be a non-custodial decentralized Multichain wallet. As a result, downloading APK from an untrusted source would be the user's fault. Regardless of whether their source has been compromised. If an official source is hijacked, it is their responsibility. However, users are losing money. I can't trust any wallet that doesn't include a hardware wallet right now.

[aioc]

Bitkeep is something I'm not familiar with. Based on a quick search, they claimed to be a non-custodial decentralized Multichain wallet. As a result, downloading APK from an untrusted source would be the user's fault. Regardless of whether their source has been compromised. If an official source is hijacked, it is their responsibility. However, users are losing money. I can't trust any wallet that doesn't include a hardware wallet right now.

I am not using this wallet and checking their website after this issue happened there's no warning whatsoever about fake source
they should have one as they do on Electrum posting it prominently where people can see the warning, it's possible that there are other existing fake sources and by posting this, they are bringing it to their user's attention.

[BitMaxz]

I never heard of this wallet before but I guess this is another inside job which is why I don't use a random wallet that I never heard. And look play store or apple store they always verify the app if it's from a real developer and the bad thing is how the hacker has control of their user's wallet. It means your coins/token there is not private and they also have full control of your wallet what is the purpose of their mnemonic phrase backup if they can see and control your wallet? It is more likely a centralized wallet.

If you are one of the users of this wallet better switch to another wallet that is known and open source or better buy a hardware wallet.

[coin-investor]

I never heard of this wallet before but I guess this is another inside job which is why I don't use a random wallet that I never heard. And look play store or apple store they always verify the app if it's from a real developer and the bad thing is how the hacker has control of their user's wallet. It means your coins/token there is not private and they also have full control of your wallet what is the purpose of their mnemonic phrase backup if they can see and control your wallet? It is more likely a centralized wallet.

If you are one of the users of this wallet better switch to another wallet that is known and open source or better buy a hardware wallet.

The inside job is just a speculation, they have the plan to refund those users and also asked Binance to freeze the accounts of those hackers after they traced it, they should extend their investigation on where did those users download the wallet, I'm sure after this some users will transfer their wallet to another more secured custodial wallets, a new custodial wallet with issues like this will have their reputation crumble because its the second time it happens.
Users will still forgive them if this is the first time.