Hackers Steal Millions in Crypto from Android Users who Sideloaded Trojanized BitKeep Wallet

Multichain crypto wallet provider BitKeep has confirmed that hackers have stolen its customers’ digital assets through a clever supply-chain attack.

On Dec. 26, after several customers reported unauthorized transactions from their accounts, BitKeep officials took to Telegram to warn of an unfolding cyberattack targeting BitKeep crypto wallets.

Supply-chain attack

It didn’t take long for the company to realize that hackers had breached its servers to replace the official BitKeep app with a trojanized version designed to give the attackers control over end-users’ wallets.

In infosec speak, this type of hack is known as a supply-chain attack, where hackers breach the vendor’s IT environment to infect software with malware. End users unknowingly download what they believe to be an official app or update when, in fact, it’s a tainted replica.

Android users who sideloaded the BitKeep app ended up downloading the tainted version of the software – essentially an identical copy laced with invisible malicious code.

‘Altered APK’

The company’s anonymous CEO, identified as Kevin Como in the specialist media, confirms as much in an apologetic letter to customers, saying:

“In this large-scale malicious attack, the hacker exploited and hijacked BitKeep App 7.2.9 APK on our website. With maliciously implanted code, the altered APK led to the leak of user’s private keys and enabled the hacker to move funds.”

The letter urges users to replace their sideloaded BitKeep app with the official version available on the Google Play Store, and generate a new wallet address and move over their funds, “because there’s a chance that your private key is leaked due to this hijacked APK in question.”

The iOS version of BitKeep, which can only be downloaded through the official Apple App Store, remains unaffected. The same goes for the BitKeep Google Chrome extension, which the attackers didn’t get to either.

Millions in stolen funds

According to media reports, the attackers managed to drain $8 million in digital assets from unsuspecting users. The attack is ongoing, with some estimates reaching the $30 million mark.

BitKeep pledges to do everything in its power to recover the stolen funds and reimburse customers.

In the meantime, the company says it will work around the clock to strengthen the defenses around its IT infrastructure, with the CEO pleading: “please don’t worry, because I assure you that we will give you a satisfying solution.”

Sideloading woes

Bitdefender has recently published a comprehensive run-through of the security risks associated with sideloading apps from unofficial sources – a practice currently unavailable in the iOS ecosystem.

The Digital Markets Act (DMA), a new law enforced by the European Union, seeks to open iOS to third-party (unofficial) app stores, essentially twisting Apple’s arm to enable sideloading on iPhones and iPads in the EU.

As Bloomberg reported earlier this month, Apple is already building compliance into iOS 17, slated for release in 2023.

Bitdefender Mobile Security, available on both Android and iOS, is designed to offer users powerful protection against malware and ID theft. Learn more at: https://www.bitdefender.com/solutions/.