If I Had a Million Cryptos: Cryptowallet Application Analysis and a Trojan Proof-of-Concept

Abstract

Cryptocurrencies have gained wide adoption by enthusiasts and investors. In this work, we examine seven different Android cryptowallet applications for forensic artifacts, but we also assess their security against tampering and reverse engineering. Some of the biggest benefits of cryptocurrency is its security and relative anonymity. For this reason it is vital that wallet applications share the same properties. Our work, however, indicates that this is not the case. Five of the seven applications we tested do not implement basic security measures against reverse engineering. Three of the applications stored sensitive information, like wallet private keys, insecurely and one was able to be decrypted with some effort. One of the applications did not require root access to retrieve the data. We were also able to implement a proof-of-concept trojan which exemplifies how a malicious actor may exploit the lack of security in these applications and exfiltrate user data and cryptocurrency.