How it works: Trojan apps request risky permissions, overlay wallet screens, or capture clipboard/keystrokes to steal keys. On mobile, “accessibility services” and “draw over other apps” can enable phishing overlays and key capture. On desktop, bundled installers add clipboard hijackers that replace withdrawal addresses.
Spot it
What to do
How It Plays Out
Convenience is the bait. A forum post links a “pro” price tracker with floating bubbles and one-tap alerts—APK only. On install, it asks for Accessibility Service (“to draw price overlays”) and Display Over Other Apps (“for convenience”). That combination is a master key: it can watch your screen, log taps, and place pixel-perfect phishing layers atop real wallet dialogs.
Two days later, your wallet prompts look subtly off—fonts a shade different, the gas line missing—because you’re seeing an overlay, not the real sheet. You confirm a harmless approval; the malware silently swaps in a broad token approval behind the glass. On desktop, the “tracker + miner” bundle you grabbed last month added a clipboard hijacker; when you copy a withdrawal address, it replaces the middle characters with an attacker’s look-alike that passes a quick glance.
The telltales are small. A swap you didn’t initiate appears in history. Exchange withdrawals land at an address that matches the first/last four but not the core. Battery drain rises. Permissions show the tracker “monitoring your actions” all day. The installer is unsigned; the developer has no other apps; the website’s “privacy policy” is lorem ipsum.
Recovery is not cosmetic. Assume the device is hostile. On a separate, clean device, generate a new wallet and move assets immediately. Revoke token allowances for anything you interacted with recently. For exchanges, rotate passwords and 2FA seeds; recreate API keys with withdrawals disabled and an IP allowlist. Then wipe or factory-reset the infected device, reinstall only from official stores, and split roles: keep wallets in a dedicated user/profile with no extra apps; run trackers/read-only tools elsewhere; never grant Accessibility/overlay permissions to anything that touches money. If you must sideload, don’t—unless you can verify signatures and the publisher is known.
Pocket anchors: Fewer permissions, fewer problems. If an app sits on top of other apps, it can sit on top of your keys.
Scams thrive on tempo—on making you move before you measure. What protects you isn’t a sixth sense, it’s a system. The boring kind: bookmarks instead of search. A pause before you click. A second tab to build the opposite case. A test withdrawal before you trust a balance. An offline backup you never brag about because it’s dusty and dull.
The irony is that “boring” is what compounds. Scams promise speed, thrill, shortcuts. Process gives you something rarer: survivorship. You’re still here after the glamour streams fade, after the referral ladders collapse, after the dashboards vanish. That’s how you get to play long enough for skill to matter.
Make safety the muscle memory, not the mood. Let your default be slower, smaller, reversible. If you ever feel rushed, flattered, or crowded, step sideways until the pressure breaks. Crypto is neutral—it will wait. The question is whether you can.
Pocket anchors: Routine beats adrenaline. Survival is the edge. Boring is how you win.