While the app’s page on Google Play looked legitimate, the researchers said the software itself contains no Trezor branding at all, with a generic login screen phishing for credentials.
According to ESET, more than 1,000 users had downloaded one of the dodgy apps. Although it claimed to enable its customers to create wallets for storing their crypto, the software was actually designed to trick them into transferring coins to addresses owned by the attackers. The researchers warned:
“If bitcoin continues its growth trend, we can expect more cryptocurrency scam apps to emerge in the official Android app store and elsewhere.”
Crypto users are being urged to only trust an app if the company’s official website links to it, regularly update their devices and think twice before entering their sensitive information into online forms.
Trezor told the researchers that the fake app did not appear to pose a security threat to its users, but the company said it was concerned that the email addresses collected through the software could be used for phishing attempts in the future. Google Play has since removed the apps from its marketplace.