Identifying Common Scam Apps and APK Packages Used for Phishing

Fake App Theft Case Study:

In a recent incident, Andrea encountered a new smartphone and came across a post in a WeChat group showing a news update purportedly from a wallet's official representative. The post included an App download link, and as Andrea had not installed that wallet on the new phone yet, they scanned the QR code and downloaded the App. Little did Andrea know that they were falling into a scam trap. After inputting their private key and importing the wallet, Andrea soon discovered that all their assets from that address were transferred out, resulting in a loss of nearly 20,000 USD.

Scammers often attempt to obtain users' private keys or mnemonic phrases since these grant absolute control over wallet assets. The most common tactic is creating fake Apps that mimic official news updates and entice users to download them. These fake Apps might appear on top of search engine rankings after paying for advertisements or even be listed on Apple/Android's official application stores under identical names. They heavily replicate official website information and images, making it challenging for users to differentiate between the genuine and fake versions. Once users download these Apps and import their mnemonic phrases or private keys, their wallet assets are swiftly siphoned off by the scammers.

To safeguard against such scams, it's crucial always to download wallets and exchange-related Apps from official channels and carefully verify website domain names and other relevant information. Many official websites also provide features for validating "official links/contact information."

How to Validate Official Websites/Emails?

Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) offers an official validation channel, where users can input URLs or emails provided by others and click "Verify" to receive validation results.

When validating a non-Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) official website, the result will indicate "Non-official channel."

In such cases, it is advisable not to access the website. If you have already visited a phishing site, promptly check if your wallet, exchange, or other platform assets have been transferred. Take immediate action to transfer them to a newly created address to prevent losses resulting from the exposure of mnemonic phrases, private keys, or exchange passwords.

Fake APK Package Case Study:

Due to the numerous download options available, Andrea believed that it was unnecessary to download wallets or exchange APPs solely from their official websites. They considered some reputable third-party app markets as reliable alternatives. Hence, Andrea downloaded an APK package of a wallet from APKCombo, a website known for hosting applications sourced from various legitimate app stores. Unfortunately, within a week of downloading the wallet, Andrea fell victim to theft.

Upon reporting the incident to the wallet's official customer support and a subsequent investigation conducted jointly with a third-party security agency, it was revealed that the APK package provided by APKCombo was for a nonexistent version. The official wallet developers had never released such a version. Later, it was confirmed that this particular counterfeit version was one of the most widely circulated fake versions in the market. The scammer deliberately assigned a high version number to deceive users into believing it was the latest version.

Once users download such fake APK packages and create or import a wallet on the start-up screen, the fake wallet will send the mnemonic phrase and other information to the phishing website's server, putting the user's assets at risk of theft.

Furthermore, investigations by security agencies uncovered similar download sites like Uptodown, where anyone can register and release APPs without strict verification, making the cost of phishing significantly lower.

In light of these risks, Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) officially warns all users to use official download channels and validate from multiple sources when using wallets or exchanges. Always download the APP from the Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) official download page. If you download your wallet from a non-Google Play third-party application platform, be wary of the risk of downloading fake APK packages. In case you detect any risks, immediately transfer your assets, uninstall the fake software, and verify through the official validation channel if necessary.