An Empirical Analysis of Security and Privacy Risks in Android Cryptocurrency Wallet Apps

A cryptocurrency wallet app is a piece of software that manages, stores, and generates private keys of cryptocurrency accounts. With the provision of services such as easy access to transaction history, and checking account balance besides transmissions of new transactions in distributed networks such as Blockchains, cryptocurrency wallet apps gain unprecedented popularity which in turn attracts malicious actors to attack users resulting in loss of cryptocurrency assets and leakage of sensitive user data. This paper presents the first large-scale study of Android cryptocurrency wallet apps. We surveyed apps on Google Play to detect and extract meta-data and application packages of 457 cryptocurrency wallet apps. We perform several passive and active measurements designed to investigate the security and privacy features to study the behavior of cryptocurrency wallet apps. Our analysis includes investigating cryptocurrency wallet apps’ third-party embedding, malware presences, and exfiltration of users’ sensitive data to third-parties. Our study reveals vulnerabilities and privacy issues in cryptocurrency apps including the insecure use of HTTP to serve transactions.