Is address scanning a safe option for me?

19 replies 332 views
calmguruSenior Member
Posts: 215 · Reputation: 1355
#1May 23, 2023, 12:57 PM
Hey fellow bitcoiners! So, if I think my phone might be compromised and that copying and pasting an address could lead to a scammer slipping in their own address, I’m thinking of using the QR code scanning method instead. But am I still at risk?
6 Reply Quote Share
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#2May 25, 2023, 03:36 PM
Clipbpard hijacking malware are mostly specific to your clipboard. While in-app address/URI QR code scanners usually are built to decode the QR and paste it directly to the intended text field, so it shouldn't be affected. Of course, keep it a habit to double check the characters of your recipient's address. However, if your device is infected, whether it's just clipboard hijacking malware: Stop using the wallet that's installed in it, keep it offline, and use another device to send your funds to another wallet. Do not ever trust a device that's already infected since it must have another malware or two.
1 Reply Quote Share
calmguruSenior Member
Posts: 215 · Reputation: 1355
#3May 25, 2023, 08:06 PM
i thought as much. i was being curious and ast the same time scared. i double check if the amount is below $50. i triple check if it is above $100 then, i check ten times if it is above $1000 lol Thank you. Best for my peace of mind.
3 Reply Quote Share
pixel2014Hero Member
Posts: 857 · Reputation: 4132
#4May 25, 2023, 09:57 PM
If you scan the QR code, it will not be vulnerable just as it has been explained above, but it is very important to also test your device, making sure it is not affected by the clipboard malware. Copy the address, paste it somewhere to know if it changes. If it changes, it is better your format the device. Make sure you check where you backup seed phrase before doing that. I still pretty much use the copy/paste, especially if I am using a single device. To save the QR code to the device and use it on the same device is not necessary for me when I make sure that I check the address that I am sending to very well before sending any coins. Also if your device can be vulnerable to clipboard malware, what makes it not possible that it will not be vulnerable to other malware that are not clipboard but which can make your wallet vulnerable? It is good to try as much as possible to avoid malware also.
3 Reply Quote Share
RogueDegenFull Member
Posts: 74 · Reputation: 309
#5May 25, 2023, 11:42 PM
I've seen malware replace QR Codes.  The scanning on your device will probably be fine, but depending on where you are getting the QR Code from, it may be possible for that code to be incorrect.
5 Reply Quote Share
yield_moonFull Member
Posts: 102 · Reputation: 297
#6May 26, 2023, 03:19 AM
I’d throw that device in the bin and get a new one. I know it’s overkill and you can easily restore to factory settings but I need peace of mind. If I suspected a device I use for a significant amount of my holdings was compromised, I am extracting the private keys and binning it.
4 Reply Quote Share
coin_sigmaLegendary
Posts: 1275 · Reputation: 5553
#7May 26, 2023, 04:26 AM
I suggest learn to have a separate device for offline transaction just like mine. If you want to do the same, you can have a separate offline wallet on another phone as your hardware wallet device never connect it online and only use it to sign a transaction and another device for making unsign transaction. The wallet software I use is Electrum on both devices. About the QR code, you can scan it from your offline wallet and review everything before signing it. Make it a habit because this method is more secure than just using it as a hot wallet, because there are lots of possible attacks while your device is connected online. Since your keys are in your offline device, you are far from most of the online attacks. Even if your online device is infected, you can always review the transaction from your offline device to determine if the QR code generated is hijacked or not. You can just ignore it or don't sign it when you notice a different address while reviewing the transaction from your offline device.
3 Reply Quote Share
d4rk5tackSenior Member
Posts: 259 · Reputation: 1325
#8May 26, 2023, 09:02 PM
You know what this is exactly what the scammers what you to actually do, just verify the prefixes and the suffixes, they can easily just create a vanity address with the suffixes and prefixes been the same as yours as we have heard in the past from address copy and paste scams in the past. The best practice remains carefully checking every one of the addresses before proceeding to actually broadcast your transaction. The private keys extracted should not be permanently used too, because with the device infected there is chance keys and seed phrases are not save too so best is to sweep that wallet entirely into a new wallet on another new device. This way you’re sure the wallet isn’t infected too
4 Reply Quote Share
hodler_b34rFull Member
Posts: 121 · Reputation: 453
#9May 27, 2023, 12:47 AM
Checking a Bitcoin addresss characters before finalize a transaction broadcast is important for the transaction and fund safety. How to lose your Bitcoins with CTRL-C CTRL-V. Using Control C and Control V for copy and paste a Bitcoin address is easy practice but for OPSEC, spending some more seconds for checking characters can save us from mistakes and accidents during transaction broadcasting time.
0 Reply Quote Share
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#10May 29, 2023, 11:09 AM
Did you pull this out of a chatbot? Read How to lose your Bitcoins with CTRL-C CTRL-V to see why this is a bad idea. I'd throw it in a drawer Never dispose of devices that hold private information. Phones are terrible for offline usage. To start: you can't really install that wallet without going online first. Things like "find my phone" or GPS trackers are hard to turn off, the thing will keep trying to connect somewhere. If you want to sign offline, learn how to do it on a laptop. To get you started: Adjust the above depending on your needs, and make sure you know what you're doing before doing it.
4 Reply Quote Share
calmguruSenior Member
Posts: 215 · Reputation: 1355
#11May 29, 2023, 04:05 PM
This is my fear, but I believe that for malware to replace QR codes, it must be a high malware that not an everyday scammer will be able to have.
3 Reply Quote Share
bull_2019Senior Member
Posts: 296 · Reputation: 1992
#12May 29, 2023, 06:26 PM
Malware is malware, and it is designed for a purpose. Depending on what you are using the QR code for, you can always verify it on the device that scanned it to confirm the details are correct, for example an address QR code. On the second device, you will see the full details, so verify the address again before constructing your transaction.
6 Reply Quote Share
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#13May 29, 2023, 07:44 PM
You concern is about an example device where there's a clipboard hijacking malware. For the QR code replacement to happen, the recipient's device should be the one that's infected which is not in your control. In case where you're still willing to use a clipboard malware-infected device despite all the warnings we've mentioned: Just do not use any third-party scanners to decode the QR code and use your wallet's in-app scanner. If you're provided with a wrong QR Code by the recipient due to a malware on his device and he didn't show the correct bitcoin address for you to double-check, it should be on him, not your fault.
0 Reply Quote Share
paul.ninjaFull Member
Posts: 152 · Reputation: 539
#14May 30, 2023, 01:32 AM
QR codes help with clipboard malware but they're not magic. If your device is compromised enough, malware can hook into the QR scanner itself or mess with what gets displayed on screen after scanning. The only real answer is: don't sign transactions on a device you don't trust. If you think it's infected, assume everything on that device is compromised - what you see, what you copy, what you scan. Use a clean device for signing or go full airgap. Always verify addresses on the hardware wallet screen itself, not on your computer or phone. That's the whole point of having one.
3 Reply Quote Share
pixel2014Hero Member
Posts: 857 · Reputation: 4132
#15May 30, 2023, 03:27 AM
You have good points but it is worth knowing that wallet on an airgapped device can scan compromised QR code. The problem is not the airgapped device nor wallet on the airgapped device, the problem is where the QR code is generated, first sent to or using third-party scanner on an online wallet. If the QR code is generated on the wallet, there is no problem by using the wallet scanner or airgapped device scanner to receive the PSBT and sign it directly.
3 Reply Quote Share
SwiftMinerSenior Member
Posts: 259 · Reputation: 1036
#16May 30, 2023, 08:44 AM
Will you escape it ? Yeah probably if the malware wasn't designed to steal from the camera also however the question you should be asking yourself is if it makes any sense to be happy living with a malware on your primary device and only trying to avoid it by taking another route. Get that device formatted and more secured after that and stop betting on your intuition to save you or luck to say it might or might not happen.
3 Reply Quote Share
john42Full Member
Posts: 76 · Reputation: 425
#17May 31, 2023, 12:14 AM
If you have an external storage on that device like memory cards, be sure to remove it and perform a full format on it differently from a clean device because formatting the mobile device does not also format the external storage by default. The files in it remain intact and if there are malwares present on the external storage, the device would be infected again.
4 Reply Quote Share
LuckyCoinLegendary
Posts: 832 · Reputation: 4795
#18May 31, 2023, 12:26 AM
If your phone is infected then you need to wipe your device. Don't use crypto stuff on an infected device. You might look for a "clever" way to evade it but the malware is usually sophisticated.
4 Reply Quote Share
BasedGasHero Member
Posts: 460 · Reputation: 2335
#19May 31, 2023, 02:48 AM
After reading this thread, I just got one more question hope I will get the right answer. How do you guys find that the device is infected if it's a smartphone? AFAIK, malware on the smartphones can stay completely under the radar and complex ones can't even be found in the app manager or even have fake names, so it is not possible to verifywhether the device is infected or not in the first place. So I would suggest using a PC that is 100x better for wallet purposes.
3 Reply Quote Share
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#20Jun 2, 2023, 12:22 PM
I just assume it's not safe
0 Reply Quote Share

Related topics