Hi guys,

Here is an example of why you should only install applications from the official Google Play or Apple App store. When you download apps outside of the official stores, you have zero ideas what you are getting in terms of quality and, most importantly, security.

In this case, hackers put out a version of the Bitkeep cryptocurrency wallet app that contained a way to siphon funds from the user’s wallet over Christmas. Google or Apple would have never approved these app versions, so they distributed them in third-party app stores where there are zero security checks and all apps are allowed. Amazingly they got dozens of Bitkeep users to install these fake apps from shady locations that resulted in them losing $8,000,000 between them. Here is what we know and also how to stay safe.

Who are Bitkeep? (according to their website)

BitKeep is a decentralized multi-chain crypto wallet dedicated to providing safe and convenient one-stop digital asset management services to users around the world. We are now serving nearly 8 million users across 168 countries. The choice of 8 million global users with the following features:

  • Safe and transparent, the decentralized wallet that puts your data & assets in your own hands
  • With 80+ blockchain networks supported, this is where you explore various NFTs, DeFi protocols, and DAOs…
  • Efficient Cross-chain trading enabled to make hot NFTs/tokens within reach
  • Explore 20,000+ DApps across multiple networks through our Web3 DApp browser

Here is the statement from bitkeep confirming the hack

📣 Dear BitKeep users, after a preliminary investigation by the team, it is suspected that some APK package downloads have been hijacked by hackers and installed with code implanted by hackers. If your funds are stolen, the application you download or update may be an unknown version (unofficial release version) hijacked.
Now for the safety of user funds, if you downloaded the APK version, please transfer the funds to the wallet downloaded from another official store (App Store or Google Play). In addition, it is recommended to use the newly created wallet address, the address you created through apk may be leaked to hackers.

👉🏻 Tip: If conditions permit, please be sure to use the official Apple or Google store to download and use BitKeeper wallet to ensure the safety of your assets ❗️

If your wallet is stolen, please submit relevant materials in the form as soon as possible, we will figure out the solution and assist as soon as possible

How do you stay safe?

  • Only install apps from the Google Play Store; check how many reviews the app has. (This is the most important thing to do)
  • Never install an app from a website that you do not trust. You can use Incognito Website Checker, and we will tell you if it is safe or not.
  • During installation, pay attention to the requested permissions and do not grant any permissions that appear unnecessary for the app’s core functionality.
  • You can also use Incognito’s App Check tool to check what permissions an installed app already has on your device. If you use this feature, you will be stunned by some of your installed apps’ permissions. I suggest you use this tool to check what apps have permissions on your device. Does a torchlight app need to be able to make phone calls etc.?
  • Keep an eye on battery consumption; if your device goes dead fast, it is a clear sign go malware infection
  • Also, keep an eye on network traffic volumes to identify any spikes, as this can be a sign of malicious processes running in the background.

I hope you are well and will talk to you soon.

Max Roberts,
Incognito Privacy Care Team