An Android crypto wallet stealer


With the rise in popularity and investments in Crypto currency there has been a rise in Crypto related scams as well. SonicWall Threats Research team identified an Android crypto wallet stealing malicious Android application.



Initial Activity

Upon installation and execution the app requests the user to grant Accessibility Services:


The app needs these services so that it can perform clicks in the background on behalf of the user. This is the modus-operandi used by the app to steal crypto wallets from the targeted wallet app – com.wallet.crypto.trustapp.


Accessibility Services

In order to gain the user’s trust and to convince the user to grant Accessibility Services, the malware provides an explanation to the user:


The malware creates a service – com.test.accessibility.MyAccessibilityService – that contains a number of interesting elements

  • Hardcoded server URL –


  • Elements of communication using Telegram bot


  • A number of app elements related to the target wallet app – com.wallet.crypto – which govern the different components of the legitimate crypto wallet app

  • performAction(16) can be seen at several places in the code. This action performs a ‘click’ or ‘touch’ on a mobile device, so these actions are intended to click a button. Accessibility services allows an application to perform such clicks in the background without the user’s knowledge


Overall this malware is a crypto wallet stealer with a single target app that is quite popular on the Google Play store. With the rise in crypto investments we expect more such malicious apps and scams to surface in the near future.


Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.CryptoStealer.HT
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.