Threats to your crypto: Trojans

When people talk about malware in the context of cryptocurrencies, you might think about sneaky miners or extortionists, who demand coins in exchange for unblocking your computer. There are, however, other applications that can be used to steal your assets or your seed phrase.

Malware can steal assets, discover mnemonic phrases, or even install modified firmware on hardware wallets (in theory). Let’s take a look at how they work and they methods they use to break into your device.

How they work

Attackers use trojans to install malware without being detected. Just like the Trojan Horse, the key to their strategy involves impersonating something that looks useful and safe. It could be an application, a game or a document. There is also the possibility that they don’t contain anything harmful at the moment of infiltration. It’s only afterwards when, operating automatically or controlled by the attacker, they download the “payload”, which carries out the actions required by the hackers. These trojans are known as "downloaders". There are also “droppers”, which don’t download anything, but come pre-loaded with malicious applications. There are many types of trojans out there, but knowing about these two will suffice for our purposes. 

How they spread

Attackers often use social engineering and phishing techniques. For example, they create fake websites for well-known applications, which host infected program distribution kits. Another method involves sending out emails purportedly from the software developer, encouraging the recipient to install an update or download a “fixed” version. In this case, the application itself will work as intended, but malware will also be installed on the computer or smartphone.

Another delivery method involves official app stores. The attackers create a simple utility for Android, submit it for review by the app store and wait for people to install it. Getting listed on app stores is difficult, however, so the infected APK file is often distributed via alternative platforms.

Some trojans spread by themselves. For example, the Emotet trojan accesses Outlook data on the computers it infects and then sends an infected file or a link to it to the contacts in the user's address book.

What about crypto?

There are a number of situations where trojans can be used to steal your crypto assets. A few years ago, employees at Kaspersky Lab discovered the CryptoShuffler trojan. The malware was fairly simple: after being installed on the victim’s computer, it began monitoring the clipboard, and when it noticed something that looked like the address of a Bitcoin, Ethereum, Zcash, Monero, Dash or Dogecoin crypto wallet, it replaced it with the address of the attackers’ wallet. By the time CryptoShuffler had been identified, the attackers were able to steal $140,000 (over half a million dollars at today’s exchange rates).

Here's a more recent example. Researchers from ESET have found many websites hosting fake, trojanized versions of the Telegram and WhatsApp messenger apps. Some of the trojans operated the same way as CryptoShuffler, while others were designed to identify seed phrases. They did this in a rather interesting way: they searched for images on computers and smartphones and ran them through an OCR module to find text that resembled seed phrases. The attackers targeted users who had taken screenshots of their mnemonic phrases or photographed pieces of paper containing the phrase as a reminder when creating their wallets.

Trojans don't necessarily steal data "directly" – they can also be used as part of multi-stage attacks. For example, a trojan that has infiltrated a user's smartphone can determine when it’s connecting to its home network and try to guess the password for the router. If successful, it changes the DNS server to the attacker's address in the settings. The victim can then be easily redirected to crypto wallet phishing sites instead of the real ones. 

Hacking hardware wallets

Hacking a hardware wallet is possible in theory, but has not been achieved in practice. Saleem Rashid, who was able to hack the Ledger Nano S, described a possible attack plan. A trojan is installed on a computer and waits for the user to connect their crypto wallet. It then displays a warning telling the user to update the device’s firmware. If the latter agrees, the malware installs modified software on the wallet. 

It's important to clarify that this is a purely hypothetical scenario, and was presented at a time when the Nano S was vulnerable to attacks of this kind. Since then, there have been multiple firmware updates and the vulnerabilities identified have been fixed. The possibility of an attack of this kind should not however be completely discounted, as new vulnerabilities could be identified at any moment and exploited before they can be eliminated by the manufacturer.

How to protect yourself

It’s important to understand that there are many malware applications that can be engineered to steal crypto assets. Spyware, for example, could be configured to start taking screenshots the moment you visit a crypto service website. If you decide to create a new wallet, the attackers could gain access to a screenshot containing the seed phrase.

Another worrisome detail is that, as time goes on, the barrier to entry for newcomers to the “business” is being lowered. Some kinds of malware can simply be bought and repurposed to suit the buyer’s needs.

Here are some tips for keeping yourself safe. You’ve probably encountered them before, but they’re currently the best tools available to us.

  • Install a reliable antivirus program (Windows Security won’t cut it). Even a free version helps.
  • Don’t install software downloaded outside official app stores on your smartphone. If the website of a well-known application suggests downloading an APK file, exercise caution.
  • Don’t install pirated versions of paid software. There is no guarantee that the “repacker” didn’t insert a trojan.
  • Don’t use a “rooted” smartphone when dealing with crypto. Superuser rights make it much easier to install malware.
  • Always install updates (at least security updates), no matter how annoying you find them. Updates fix the vulnerabilities used by trojans.
  • It goes without saying that you should use reliable cold wallets like Tangem Wallet. Our wallet is EAL6+ certified, and cannot be hacked. Owners don’t have to worry about their seed phrase being stolen either – Tangem doesn’t have one.