We have recently received feedback from the community that there are counterfeit TronLink APK (Android application package) files that may compromise the security of users' assets.

Through decompilation, cybercriminals implant code that can steal private keys and mnemonics in the official version of APK and then package and publish it on other websites for potential victims to fall into their trap.

If users download and use such fake TronLink wallets, their private keys or mnemonics will be leaked, risking the loss of all of their assets.

Therefore, we have written this tutorial to guide users to check whether the APK they are using is genuine through SHA256/PGP verification.

Methods of Verification

1.SHA256 verification

2.PGP verification

The following is the PGP public key information of TronLink official website APK:

• GitHub-TronLink: https://github.com/TronLink/Tronlink-Android

• Public key: 7B910EA80207596075E6D7BA5D34F7A6550473BA

• User id: build_tronlink <build@tronlink.org>

What is SHA256?

The SHA256 value is obtained by calculating the hash value of the APK through the SHA256 algorithm. By comparing the SHA256 value of the downloaded APK with the official one, users can verify if the content of the file has been tampered with.

Compared with the more common MD5 algorithm, SHA256 is more time-consuming but more secure.

What is PGP?

PGP (Pretty Good Privacy) is an encryption program that provides cryptographic privacy, which can be used for integrity verification and source verification. PGP first calculates the APK file digest through the RSA algorithm and then encrypts the digest by using the private key of TronLink stored in the hardware to create a signature file.

Users can import the TronLink PGP public key through the PGP public key server, decrypt the signature file using the key, and compare the decrypted file with the local APK file digest. If the two are consistent, then the local APK file is complete and untampered, which proves that it is the legit version launched by TronLink, as no one can access TronLink's official private key to sign the APK file digest.

What is a signature file?

To create a signature file used in PGP, PGP encryption first calculates the APK file digest through the RSA algorithm and then encrypts the digest by using the private key of TronLink stored in the hardware. A signature file is used to verify if the APK file is officially launched by TronLink.

The SHA256 value and the signature file of TronLink official website APK

SHA256 verification steps

Calculate the SHA256 value by online tools

1.Download the TronLink APK file;

2.Go to https://emn178.github.io/online-tools/sha256_checksum.html Note: this website is for calculating the SHA256 value of a file;

3.Upload the APK to the website to obtain the SHA256 of the file. Select SHA256 as below, and Drop the APK to the area;

4.Compare the obtained SHA256 with the one in this document, the APK file is genuine if the two are consistent; otherwise, the file is counterfeit. If you find the file fake, please stop using the application at once, then download the official version of TronLink on https://tronlink.org and transfer your assets out.

Obtain SHA256 on macOS

1.Put the TronLink APK on your desktop;

2.Open Terminal (Default Path: Launchpad—Others—Terminal), enter cd desktop/, then press the Enter key to confirm;

3.Enter shasum -a 256 ‘The file name of the APK’, press the Enter key to confirm and get the SHA256 of the APK;

4.Compare the obtained SHA256 with the one in this document, the APK file is genuine if the two are consistent; otherwise, the file is fake, in which case you should stop using the application at once, then download the official version of TronLink on https://tronlink.org and transfer your assets out.

Obtain SHA256 on Windows

1.Put the downloaded TronLink APK on your desktop;

2.Open Command Prompt (Press Windows + R, then enter CMD and press the Enter key) and enter cd desktop/, then press Enter to confirm;

3.Enter certUtil -hashfile ‘The file name of the APK’ SHA256, press Enter to confirm and get the SHA256 of the APK;

4.Compare the obtained SHA256 with the one in this document, the APK file is genuine if the two are consistent; otherwise, the file is fake, in which case you should stop using the application at once, then download the official version of TronLink on https://tronlink.org and transfer your assets out.

PGP verification steps

1.Install the client

Method 1: Install GPG Suite at https://gpgtools.org/ (recommended to non-developer users)

Method 2: Download GnuPG (GPG) Find the source code at https://gnupg.org/download/index.html

Enter the source code and execute "./configure & make install" (You can download the dependency following the guide)

Method 3: Download the GnuPG installation package at https://gnupg.org/download/index.html

Please find the right package for your device. For example, macOS users should download GnuPG for OS X.

After installation, run gpg --help in Terminal or Command Prompt. The installation is considered successful when the version info is displayed. Note: you can find details on how to run Terminal and Command Prompt in the SHA256 section above.

2.Import the TronLink PGP public key

Method 1: Use the GPG keychain which comes with GPG Suite, click “Lookup Key

”, enter 7B910EA80207596075E6D7BA5D34F7A6550473BA, and import the public key shown in the result.

Method 2: Enter gpg --recv-keys 7B910EA80207596075E6D7BA5D34F7A6550473BA in Terminal or Command Prompt, and the public key will be imported automatically.

3.Download the TronLink APK and the corresponding version of the PGP signature file, and put them on your desktop. Note: the latest versions of the APK and the PGP can be found on TronLink's official website.

4.Integrity verification:

* This is a crucial step. It is recommended that users always verify the file's integrity after download and before installation.

(1) Enter cd desktop/ in Terminal or Command Prompt, and press Enter to confirm.

(2) Enter gpg --verify ‘The signature file name of the APK’ ‘The file name of the APK’, and press Enter to confirm.

If the output is gpg: Good signature, then the APK is genuine. Otherwise, it is fake, in which case you should stop using it immediately, go to https://tronlink.org to download the official version of TronLink, and transfer your assets out.