The crypto segment can be as simple or complex as you approach it. However, just like other niches in today’s tech industry, there are also attackers lurking, eager to steal your data, credentials, and money. The Play Store is full of cryptocurrency apps for Android devices, but many of them may put your privacy at risk.
The most popular cryptocurrency apps could put your privacy at risk
When dealing with crypto, taking care of your security is especially important. If bad actors manage to breach your accounts, they could cause you great financial damage. That said, a recent LEAKD study found several alarming signs in the 51 most downloaded cryptocurrency apps on Google. The research found that many of these apps implement practices that are potentially harmful to your privacy and security.
The list of bad practices includes excessive implementation of trackers, several hardcoded secrets, and dozens of unnecessary permissions. There are even some that have weak security by design and lack fundamental privacy standards. This translates into an increasing risk for the user’s privacy when using cryptocurrency apps.
Trackers, hardcoded secrets, and requests for unnecessary permissions abound
Starting with trackers, they are modules of code designed to “capture” your activity, whether within an app or even outside of it. Modern permission management systems make it possible to limit the data that trackers can access. Still, some cryptocurrency apps ask for certain permissions to capture enough information to create a solid “reflection” of your habits. This data is often used for targeted ads, but there are companies that sell it to third parties.
The report mentions Crypto.com and DANA apps as the ones that integrate the most trackers in the segment. Each one has more than 10, while the average among the list of 51 apps was 4.6 trackers. The data captured could include browsing habits, device ID information, and even location. It’s noteworthy that certain trackers are even necessary for certain key features to function. However, app developers are not too transparent about this. So, you just have to “trust” that they only capture the necessary data and that they will use it in a way that respects your privacy.
Anyway, there are also developments that show that trackers are not always essential. Bitcoin Wallet, TokenPocket, and BitMart are cryptocurrency apps that respect your privacy a little more by not integrating trackers.
Several apps on the list also had a worrying amount of hardcoded secrets. This means that there is sensitive data embedded directly in the code. The sensitive data is not necessarily yours, but related to the crypto platform. In other words, it is data that a hacker could find through a simple APK decompilation and use to their advantage to attack the entire platform. This not only puts your security and privacy at risk, but that of potentially thousands—or millions—of users.
As with trackers, sometimes the presence of this type of data in the code of the app is unavoidable. However, these are still significant security risks. The report mentions that Kraken Wallet and MetaMask apps are the ones that suffer the least from this problem with less than 15 hardcoded secrets. On the other hand, the most worrying are OKX, Binance, and MEXC, with 5,329, 1,937, and 1,340, respectively. The greater the presence of hardcoded secrets, the greater the risk of breaches. If app developers want to implement them “en masse,” they must also consider mechanisms that prevent their use to breach the platform.
Requesting excessive permissions is a recurring problem on mobile devices. There are all kinds of apps that resort to this privacy-unfriendly practice, and cryptocurrency ones are no exception. The most problematic ones in this section requested up to 45 permissions, while the average was 22.9. Granting sensitive permissions is one of the main causes of vulnerabilities on mobile devices. This can lead to situations such as credential theft and privacy violations in multiple ways.
The report highlights some permissions in particular for their sensitive nature. These are the permissions to access the camera and to read and write to storage. In many cases, the apps integrate features that really need these permissions. For example, to download documents or upload files for ID verification systems. Anyway, poor management can lead to a nightmare for your privacy, potentially leaving you exposed to attacks against the platform.
Other permissions that could put your privacy at risk when using cryptocurrency
While they weren’t necessarily present in the analyzed apps, the researchers mentioned other app permissions that you should be wary of—not just in the crypto realm. Permissions for microphone access, precise location, approximate location, screen overlay, and device ID data are especially sensitive. They allow apps to potentially set up an entire spy system for everything you do during the day, tracking everything from your routes to what you say. They also allow attackers to access critical information like your phone number or information about your WiFi network.
The report showed that some of the 51 cryptocurrency apps under analysis requested multiple irrelevant or unnecessary permissions, many times related to your privacy. The list includes access to writing to the calendar, managing Bluetooth connections, and activity recognition. It’s almost as if the developers didn’t bother to limit the permissions only necessary for their apps and simply requested as many as they could.
The cryptocurrency boom and associated privacy/security dangers
Just like artificial intelligence in the current tech industry, cryptocurrencies experienced a huge boom some years ago. In this case, the massive revaluation of Bitcoin, the “king” of cryptocurrencies and derivatives, caught the attention of many. Over time, these assets revalued even more until they reached certain levels. From there, the value has been fluctuating. This can happen for multiple reasons, from the market context to the action of the so-called “whales.” The regulatory intentions of governments have also severely impacted the value of cryptoassets.
Currently, there are two main ways to use cryptocurrencies. You can opt for a centralized exchange or for self-custody. Using an exchange offers simpler and more friendly ways to interact with cryptocurrencies. There is also better clarity regarding fees for sending cryptocurrencies, often making the process as simple as sending money between users of banking institutions. However, your cryptos are at the mercy of potential attacks, something that has happened several times.
On the other hand, self-custody means having full control over your cryptocurrencies. That requires a lot of responsibility, as you must keep your seed keys safe somewhere. These seeds are fundamental to accessing your cryptocurrencies, and if you lose them, you could lose them all. Self-custody wallets do not ask for personal data, like your email or phone number, to create an account. However, that also means that there are no easy key recovery tools if you lose them.
The ways of using cryptocurrency should already make you intuit the potential risks and dangers associated. However, we can list some of the most important ones. The first can be the high volatility of many cryptocurrencies. The value of the asset can go “to the moon” or collapse suddenly. These situations are difficult to predict, as there are more factors than just the pure market. For example, sometimes there is manipulation by “whales”—users” with large amounts of cryptocurrencies—who seek to manipulate the value for their benefit. Sudden government announcements about regulations can also suddenly bring the value down.
Above we talked about centralized exchanges and the risk of losing capital due to potential attacks. Many do not offer any guarantee on your assets for these scenarios. So, if you are among the unluckiest, you will simply lose your funds without having been able to do anything about it.
Hacks on exchanges could also breach users’ personal data. The regulatory environment around the segment has led many platforms to implement KYC—know your customer—policies. This involves verifying your accounts with sensitive data such as your physical ID or passport. The platform can also ask for your phone number, email, and country of residence, among other information.
Being digital assets, cybercriminals abound in the crypto segment. They use multiple social engineering strategies to try to trick potential victims. Their methods include paying for ads on websites, and creating fake phishing assets, among others. The creation of worthless cryptocurrencies is one of the most common ways criminals use to scam. They promise users a great return after buying their assets and then disappear without a trace with the victims’ money.
The global impact of big cryptocurrency exchange hacks
In recent years, some of the largest crypto exchanges have suffered hacks with huge losses. The biggest recent hack seen in the segment occurred in March 2022 when attackers stole $615 million in Ethereum and USDC from Ronin Network. Another major incident occurred in August 2021 when a hacker stole $611 million worth of crypto from Poly Network. This case was curious since the hacker only wanted to show that they could breach the platform, eventually returning the assets.
The fall of the FTX exchange was one of the most controversial cases in recent years. FTX was competing to occupy the place of the most prominent exchange in the crypto ecosystem. However, the company declared bankruptcy after a hack of $600 million worth of crypto coins in 2022. The exchange suffered a second hack in 2023, this time worth $15 million.
Binance is one of the most popular and reliable exchanges out there. However, it is not free from hacking and asset theft situations either. The company suffered an attack in October 2022 where the perpetrators made off with the equivalent of $570 million. Other notable hacking incidents in the industry involve Coincheck ($534 million in 2018), Mt. Gox ($400,000 in 2011, $437 million in 2014), Bitmart (over $196 million in December 2021), and Nomad Bridge ($190 million).
North Korean hacking cryptocurrency exchanges: A growing threat
North Korea is a major player when it comes to cryptocurrency hacks. Pyongyang-related teams constantly resort to this practice to obtain funds, bypassing international sanctions. According to authorities in multiple countries, North Korea invests the stolen money in weapons of mass destruction and ballistic missile programs.
2024 was an especially active year for North Korean hackers. They stole around $1.34 billion across 47 incidents. This was a huge increase compared to the $660.5 million stolen in 2023 during 20 attacks. North Korean crypto-related hacks accounted for 61% of the total global crypto assets stolen last year.
According to recent studies, North Korean attacks on crypto platforms are becoming more frequent. The average time between successful attacks from Pyongyang decreased compared to last year. More specifically, the report refers to thefts worth between $50 and $100 million and more than $100 million. This suggests that North Korean technology is becoming increasingly effective.
There are reported cases of attacks involving the infiltration of North Korean IT workers in international crypto and Web3 companies in order to compromise security systems from within. They achieve successful infiltration using false identities, hiring through intermediaries, and manipulating remote work opportunities. The US Department of Justice (DOJ) recently arrested 14 North Koreans who worked remotely at North American companies, from which they extracted confidential information and extorted their employers for more than $88 million.
In 2024, Japan’s DMM Bitcoin was attacked by groups associated with North Korea. The exchange lost around 4,502.9 Bitcoin (equivalent to $305 million at the time). Fortunately for users, DMM did take responsibility and covered the losses for its customers.
North Korean hackers often follow the same modus operandi. After successfully attacking a crypto platform, they send the funds to intermediate wallets and then to a Bitcoin mixer. The latter are platforms that serve to hide the origin or destination of cryptos through an exchange pool of anonymous users. Bitcoin mixers work as a kind of “money laundering” system.
How can attackers breach your security/privacy when using cryptocurrency?
There are multiple methods used by hackers to breach your accounts on exchanges. They do not always try to breach the entire platform—it takes a lot of resources to do so—but rather they target individual users. To do this, attackers resort to classic phishing via emails or SMS that include links to malicious websites. The links usually lead to forms or cloned websites that request your access credentials.
Bad actors can also trojanize commonly used software. On mobile devices, they often resort to introducing malware in popular apps and then distributing it over the internet. Currently, app store security systems—such as the Play Store’s—are increasingly better at automatically detecting malware-infected uploads. However, there are still some rare cases where similar apps manage to sneak through—though they only last a short time in the listings.
Malicious third parties with certain know-how could also target entire exchanges by exploiting vulnerable code discovered through reverse engineering and other methods. This has been done several times during the biggest crypto hacks.
Third parties can gain access to your cryptos if they obtain your private keys. This mainly affects users who choose the self-custody method for their crypto assets. Centralized exchanges do not usually offer access to the private keys of the wallets associated with your account. However, ironically, they are more vulnerable to hacks due to other factors.
Tips to avoid potential hacks
If you want to enter the cryptocurrency world, you must take certain precautions for your security and privacy. In the end, the most important thing is to keep your assets safe from potential attacks. There are some tips you can use to stay protected from these types of incidents.
First, many recommend resorting to self-custody of assets. You can do this through so-called “cold wallets” that are not connected to a centralized exchange but interact directly with the crypto network. However, remember that it is essential to safely store your seed keys since you will not be able to recover them if you lose them, which will result in the loss of your funds.
Using cold wallets can feel a bit complex for beginners. For these cases, you can turn to a reputable crypto exchange, although you should check the history of hacks it has had to know how reliable it is. For this scenario, it is best to stick to popular exchanges that have not suffered a similar incident in years and preferably offer multiple authentication methods.
Avoid downloading and installing software of dubious origin on the PC where you manage your cryptos. There are times when this type of software comes trojanized with malware especially focused on trying to breach your account on the potential crypto platforms you use.
If you use an exchange, it is advisable to use passwords as complex as possible. Remember to keep them in a safe place and update them from time to time. Preferably, avoid saving your credentials in your browser’s native password manager. A potential “trick” is to save your seed keys in a file and compress it into a .ZIP/.RAR file with a password. If your keys are so complex that you can’t remember them, you will have to unzip the file every time you want to access your cryptos. However, that’s better than suddenly losing everything without realizing it.
You should also enable multi-factor authentication whenever possible. Major exchanges often offer this extra layer of security, so don’t forget to implement it. Lastly, you should also avoid accessing malicious crypto-related links. You might receive these links via SMS or email.
