How to verify a wallet APK on Android safely

Some wallets distribute an Android .apk directly (or you may need to sideload on a de-Googled device). That convenience comes with risk: a tampered APK can carry malware. Verify before you install.

First choice: the official store

If the developer offers a Google Play listing, prefer it — store moderation adds a layer of protection. Only sideload when there's a genuine reason, and always from the official source.

Verify the SHA-256 hash

Find the published APK hash on the developer's official site or signed GitHub release. Then compute the hash of your downloaded file — drop it into the WalletGuard in-browser verifier (it runs locally) or use sha256sum wallet.apk. Match = authentic; mismatch = delete it. The full method is in our wallet download verification guide.

Check the signing certificate

Android apps are signed. A genuine update is signed with the same certificate as the original. Compare the APK's signing-certificate fingerprint (via apksigner verify --print-certs on a computer) against the developer's published fingerprint. A different signer means a different, untrusted build.

After install

Set up the wallet, and never enter an existing seed phrase unless you're deliberately restoring — see seed phrase phishing.

Frequently asked questions

Is it safe to sideload a crypto wallet APK?

Only if you verify it. Get the APK from the official source, confirm its SHA-256 hash matches the published value, and check the signing certificate fingerprint before installing.

How do I check an APK’s SHA-256 hash?

Compute the hash of the downloaded .apk with a tool like sha256sum or the WalletGuard in-browser verifier, then compare it to the value published by the developer.

What is APK signing-certificate verification?

Android apps are cryptographically signed. Verifying the signing certificate confirms the APK came from the same developer as the original and was not repackaged.