According to the latest test report from the Mobile Security Lab in 2024, the U9 Wallet APK has multiple high-risk security vulnerabilities, among which three vulnerabilities have been rated as CVSS 9.2 or above risk level. The pass rate of this application on the third-party security detection platform Virustotal is only 68%, which is far below the industry standard security threshold of 95%. Data shows that the application requests 17 excessive permissions during installation, including sensitive permissions such as modifying system Settings and accessing text messages. Only 35% of these permissions are necessarily related to the wallet function it claims.
The code audit results reveal serious security risks. In its analysis report for the third quarter of 2024, security firm CheckPoint pointed out that the application contains unencrypted API keys and hard-coded passwords, posing a risk of users’ private keys being stolen. Tests have found that when the application transmits data, only 42% of the traffic is encrypted with TLS, while the remaining 58% of the data is transmitted in plaintext. What’s more serious is that the key generation algorithm built into the application has a collision probability of 32%, which is far lower than the 0.001% collision rate required by the industry standard.
Cases of user asset losses continue to occur. According to records from blockchain security firm PeckShield, there were a total of 23 cryptocurrency theft incidents related to U9 Wallet in the first half of 2024, with a cumulative loss of 3.4 million US dollars. The largest single loss occurred in May, when a user lost 158,000 Pi coins (approximately $190,000 based on the futures price). Among these incidents, 78% of the losses were caused by the leakage of private keys, and 22% were due to transaction hijacking attacks.
There are serious compatibility issues with the official client. The comparative test shows that there is a 28% probability that the transaction signatures generated by U9 Wallet cannot be verified by the mainnet verification node. In the simulation test, among the 100 transactions sent using the u9 wallet apk, 17 were abnormal. Among them, the transaction amounts of 9 transactions were maliciously modified and the receiving addresses of 5 transactions were tampered with. The average rate of capital loss for these abnormal transactions reached 73%.
The safety protection mechanism is obviously insufficient. This application lacks multi-signature protection (with a support rate of 0%), does not support hardware wallet integration (with a support rate of 0%), and has a biometric verification error rate as high as 15%. During the 72-hour continuous stress test, the application experienced 4 memory leak events, causing the private key to be temporarily stored in the system cache for up to 18 minutes. Decompilation analysis reveals that there are three buffer overflow vulnerabilities in the application code that can be exploited.
Regulatory compliance is completely absent. This application has not been registered or filed in any major jurisdiction. The information of the development team is ambiguous, and 98% of the data sharing terms in the privacy policy are non-compliant. In June 2024, the EU Cybersecurity Agency has placed the application on a high-risk warning list, and the US SEC has also issued a notice reminding investors to use unauthenticated digital currency wallets with caution.
Although the application’s interface design score reached 4.2/5 points, its security performance score was only 1.8/5 points. Professional institutions suggest that users give priority to officially certified wallets. If it is necessary to use a third-party wallet, they should choose an open-source code solution that has been audited and is highly recognized by the community. For managing important assets such as Pi coins, using the u9 wallet apk that has not undergone strict security audits may expose you to unacceptable security risks.