Is Trust Wallet safe?

Analysis summary

• Summary: Trust Wallet is a browser extension designed to manage cryptocurrency assets across multiple networks. It is rated Critical due to confirmed malicious activity detected in version 2.68, posing significant security threats.

Key insights:

Intended for managing digital assets and interacting with blockchain networks.
Rated Critical due to confirmed malicious activity, including a security incident affecting the extension.
Exhibits broad host permissions and sensitive code execution capabilities, increasing the risk of unauthorized script injection and data exposure.
Communicates with an expired domain, presenting potential supply chain risks if hijacked by threat actors.
Contains a high-severity vulnerability (CVE-2025-58754) that could be exploited for denial-of-service attacks, further elevating its risk profile.

Malware versions

2.68.0

Now Viewing

malware

Findings

Malicious Activity Detected

Flags items that exhibit confirmed malicious activity.

critical

Evidence

This version contains code that exfiltrates user seed phrases to an attacker-controlled server (api.metrics-trustwallet[.]com) disguised as analytics telemetry. The exfiltration triggers on every wallet unlock, affecting all wallets in the user's account regardless of authentication method.

Communication With Expired Domain

Flags items that communicated with a domain that has expired, which can be exploited by threat actors to hijack the domain and deliver malicious payloads, steal data, or impersonate trusted infrastructure.

medium

Code Execution Permissions

Flags items that request permissions allowing them to inject, execute, or modify code at runtime. These capabilities expand the item’s control over the browser environment and significantly increase the potential for evasive behavior, or post-install exploitation.

medium

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

Purpose and Intention

This Chrome extension is the official Trust Wallet browser extension. Its purpose is to provide a secure crypto wallet interface for users to manage digital assets across multiple networks. The code implements wallet functionality, blockchain interaction, transaction signing, and user interface features for crypto asset management.

API Calls and Network Activity

The extension interacts with various blockchain networks, including Ethereum, VeChain, Solana, and others, to fetch balances, send transactions, and interact with smart contracts.
It uses HTTP(S) requests to public blockchain RPC endpoints and Trust Wallet's own APIs for asset metadata, trending assets, and staking information.
Example URLs (truncated):
- https://trustwallet.com/blog/how-to-stake-...
- https://community.trustwallet.com/t/...
- https://short.trustwallet.com/...
- https://support.trustwallet.com/...
- https://gov.tools/
The extension does not appear to communicate with unknown or suspicious third-party domains. All network activity is consistent with the expected operation of a multi-chain wallet.

Filesystem, Process, and OS Interaction

As a browser extension, there is no direct access to the local filesystem, process execution, or OS-level operations. The code does not attempt to execute shell commands, PowerShell, or manipulate the Windows Registry.
There is no evidence of file creation, user creation, or persistence mechanisms outside of standard browser extension storage.

Clipboard Access

No direct clipboard access or manipulation is present in the provided code.

Privilege Escalation and Backdoors

No privilege escalation, hidden backdoors, or unauthorized code execution is present.

Obfuscation

The code is minified and compiled, as is typical for production browser extensions, but it is not obfuscated in a way that hides its intent (e.g., no string encryption, control flow flattening, or variable mangling beyond minification).

Summary

The extension's code is consistent with a legitimate crypto wallet browser extension. All network activity and API calls are to expected domains, and there is no evidence of malicious intent or behavior.

Permissions

high

scripting

api

Allows execution of scripts in web page contexts, potentially manipulating site behavior and user interactions.

high

tabs

api

Provides access to privileged information about open tabs including URLs, titles, and loading status, beyond basic tab management.

medium

clipboardWrite

api

Lets the extension cut and copy items to the clipboard using the web platform Clipboard API.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

API CALLS ARE AVAILABLE FOR ENTERPRISE USERS

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

Infura

/4482.js

Unverified

Box

/composeResources/com.trustwallet.sdk.strings.generated.resources/values-my/strings.commonMain.cvr

Unverified

Box

/composeResources/com.trustwallet.sdk.strings.generated.resources/values-my-rMM/strings.commonMain.cvr

Unverified

All secrets are available for Enterprise users

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

GHSA-4hjh-wcwx-xvwj

Axios is vulnerable to DoS attack through lack of data size check

CVSS:

7.5

All vulnerabilities are available for Enterprise users

External communication

Any identifiers we detected that may indicate external communication from the item's code

https://support.trustwallet.com/en/support/home

1383.js

https://github.com/mozdevs/cssremedy/issues/4

15.js

https://github.com/tailwindcss/tailwindcss/pull/116

15.js

All external communications are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

axios

Version:

1.10.0

chart.js

Version:

4.4.2

react-is

Version:

16.13.1

All dependencies are available for Enterprise users

Licenses & Compliance

Compliance

Compliance status and certifications for the extension and its publisher

Trust Wallet

Trust Wallet has official ISO 27001 certification as indicated on their website, demonstrating their commitment to information security. Additionally, their parent company, Binance, also holds the ISO 27001 certification, which further reinforces the compliance status of Trust Wallet.

Compliant

Licenses

No license text available...