Microsoft has recently removed from its store a fraudulent Ledger Live app for cryptocurrency management after multiple users lost at least $768,000 worth of cryptocurrency assets. Published with the name Ledger Live Web3, the fake application appears to have been present in the Microsoft Store since October 19 but the cryptocurrency theft started being reported just a couple of days ago. Blockchain enthusiast ZachXBT alerted the cryptocurrency community on November 5 of a fraudulent Ledger Live application in the Microsoft Store that stole almost $600,000 from users who installed it. Microsoft reacted on the same day and removed the app from the store but the fraudster had already transferred more than $768,000 from victims. The fraudster did not spend much effort in making the fake Ledger Live app appear legitimate, though. Looking at the entry in the Microsoft Store, there are sufficient red flags to raise suspicion. Beyond the description that was copied word for word almost entirely from the legitimate app in the Apple Store, the app had only one five-star rating when it was taken and the fraudster used "Official Dev" for the developer name. It is unclear how many Windows users fell victim to the false version of Live Ledger on Microsoft Store but ZachXBT received messages from multiple victims who had lost cryptocurrency after installing the fake app. In a post on Reddit, another victim shared how they lost their life savings of $26,500 just a few minutes after typing the seed phrase into the fake Ledger Live app. Downloaded a new Ledger app I found on Microsoft Store after reinstalling windows on my computer for about 1-2 hours ago. Had not accessed it through ledger live in a while and was prompted to input my 24 word seed recover phrase. Didn't think more about that since so much had happened with both reinstalling Microsoft OS and Ledger Live App, but... It took a few minutes before I saw all my crypto, $18,5k bitcoin and about $8k alt coins disappear. Although the fraud was discovered on November 5, Google search results show that the fraudulent Ledger Live Web3 app had been present in the Microsoft Store since October 19, when the legitimate counterpart on Google Play received an update. The page promotes the app as being an official Ledger product that is available through the Microsoft Store, although it is far from a lookalike of the legitimate Ledger Live page. Given all the signals that alert of a possible scam, it is uncertain how the fraudster managed to publish the app in the Microsoft Store. BleepingComputer reached out to Microsoft for a comment about the screening process for submitted apps and a spokesperson said that the company is "Continually working to ensure malicious content is identified and taken down quickly." Microsoft Authenticator now blocks suspicious MFA alerts by default. New Microsoft Exchange zero-days allow RCE, data theft attacks. Microsoft pledges to bolster security as part of 'Secure Future' initiative. How to download a Windows 11 23H2 ISO from Microsoft.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000