Martian Aptos & Sui Wallet Extension
Version 1.7.20 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has strong user adoption with 200,000 users and an excellent 4.9-star rating from 14,500 reviews, indicating positive user experiences. The developer domain "martianwallet.xyz" suggests this is a legitimate cryptocurrency wallet service. The high rating and substantial user base provide some confidence in the extension's legitimacy and functionality.
The extension requests extremely broad permissions that extend far beyond typical wallet functionality. The <all_urls> host permission combined with tabs access creates significant privacy and security risks, as it can monitor and interact with all websites you visit. Content scripts running on all protocols (file, http, https) and all URLs means the extension can inject code into every webpage. These permissions are excessive for a wallet that should primarily need to interact with specific blockchain-related websites and dApps.
Given the high-risk permissions but strong user trust indicators, consider running this extension in a dedicated Chrome profile used only for cryptocurrency activities. This isolates potential risks from your main browsing. Regularly review which websites you visit while this extension is active, and consider disabling it when not actively managing crypto assets. Monitor for any unusual browser behavior or unexpected network requests. The legitimate nature suggested by user reviews makes it safer than unknown extensions with similar permissions, but the broad access still warrants caution.
Findings
Security Analysis Details
Required Permissions:
- tabs
- storage
- notifications
Host Permissions:
- <all_urls>
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'self'; style-src 'self' 'unsafe-hashes' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
Embedded URLs (295 total):
| https://firebaseinstallations.googleapis.com/v1 | https://fcmregistrations.googleapis.com/v1 | |
| https://cdn.martianwallet.xyz/assets/icon.png | https://clients2.google.com/service/update2/crx | |
| http://www.opensource.org/licenses/mit-license.php. | https://en.wikipedia.org/wiki/Base64#URL_applications | |
| https://github.com/beatgammit/base64-js/issues/42 | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Symbol#Browser_compatibility | |
| https://github.com/indutny/bn.js/issues/211 | https://github.com/keybase/triplesec | |
| https://code.google.com/p/crypto-js/ | http://bitwiseshiftleft.github.io/sjcl/doc/symbols/src/core_gcm.js.html | |
| https://github.com/indutny/self-signed/blob/gh-pages/lib/rsa.js | https://feross.org/opensource | |
| https://feross.org | https://bugzilla.mozilla.org/show_bug.cgi?id=695438 | |
| https://github.com/feross/buffer/pull/97 | https://github.com/feross/buffer/pull/148 | |
| https://github.com/feross/buffer/issues/154 | http://stackoverflow.com/a/22747272/680742 | |
| https://github.com/feross/buffer/issues/166 | https://github.com/nodejs/node/blob/v10.8.0/lib/internal/errors.js | |
| https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith | |
| https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/includes | https://github.com/mafintosh/end-of-stream | |
| https://github.com/mafintosh/pump | https://github.com/crypto-browserify/crypto-browserify | |
| http://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#doubling-dbl-1987-m-3 | http://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#diffadd-dadd-1987-m-3 | |
| https://git.io/vad3K | https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-03#section-5.2 | |
| https://github.com/indutny/elliptic/issues | https://github.com/indutny/elliptic | |
| https://github.com/google/closure-library/blob/8598d87242af59aac233270742c8984e2b2bdbe0/closure/goog/crypt/crypt.js#L117-L143 | https://github.com/google/closure-library/blob/master/LICENSE | |
| https://github.com/indutny/self-signed/blob/gh-pages/lib/asn1.js | https://github.com/Rantanen/node-dtls/blob/25a7dc861bda38cfeac93a723500eea4f0ac2e86/Certificate.js | |
| https://github.com/apatil/pemstrip | https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues | |
| https://github.com/nodejs/node/blob/master/lib/internal/crypto/random.js#L48 | https://developer.mozilla.org/en-US/docs/Web/API/window.crypto.getRandomValues | |
| http://pajhome.org.uk/crypt/md5 | http://tweetnacl.cr.yp.to/ | |
| https://github.com/floodyberry/poly1305-donna | http://www.w3.org/2000/svg | |
| http://www.w3.org/1999/xlink | https://cdn.martianwallet.xyz/blacklisted-websites.json | |
| https://martianwallet.xyz/discord | https://indexer.mainnet.aptoslabs.com/v1/graphql | |
| https://indexer-testnet.staging.gcp.aptosdev.com/v1/graphql | https://indexer-devnet.staging.gcp.aptosdev.com/v1/graphql | |
| https://fullnode.mainnet.aptoslabs.com/v1 | https://fullnode.testnet.aptoslabs.com/v1 | |
| https://fullnode.devnet.aptoslabs.com/v1 | http://127.0.0.1:9000 | |
| http://127.0.0.1:9123/gas | https://fullnode.devnet.sui.io:443/ | |
| https://faucet.devnet.sui.io/gas | https://fullnode.testnet.sui.io:443/ | |
| https://faucet.testnet.sui.io/gas | https://fullnode.mainnet.sui.io:443/ | |
| https://ipfs.io/ipfs/ | https://api-js.mixpanel.com | |
| https://mixpanel.com | https://cdn.mxpnl.com | |
| https://reactjs.org/docs/error-decoder.html?invariant= | http://www.w3.org/XML/1998/namespace | |
| http://www.w3.org/1998/Math/MathML | http://www.w3.org/1999/xhtml | |
| https://github.com/uuidjs/uuid#getrandomvalues-not-supported | https://git.io/JUIaE# | |
| https://mui.com/production-error/?code= | https://node.shinami.com/api/v1/55ac5ef43c2b999eca8b9ca413a65308 | |
| https://nodereal.mainnet.martianwallet.xyz/v1 | https://raw.githubusercontent.com/hippospace/aptos-coin-list/main/icons/APT.webp | |
| https://api.mixpanel.com | https://api.martianwallet.xyz/v1/utilApis/nodeUrls | |
| https://martianwallet.xyz/terms | https://martianwallet.xyz/privacy-policy |
Raw Manifest
{ "name": "Martian Aptos & Sui Wallet Extension", "icons": { "16": "./images/logo16.png", "32": "./images/logo32.png", "192": "./images/logo192.png", "512": "./images/logo512.png" }, "action": { "default_popup": "./index.html", "default_title": "Martian Aptos Wallet" }, "version": "1.7.20", "commands": { "_execute_action": { "suggested_key": { "mac": "Alt+Shift+X", "linux": "Alt+Shift+X", "windows": "Alt+Shift+X", "chromeos": "Alt+Shift+X" } } }, "background": { "service_worker": "./workerWrapper.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Martian is a self-custodial crypto wallet for Aptos & Sui. Buy, Send, Swap, Stake seamlessly. Get the Chrome extension now!", "permissions": [ "tabs", "storage", "notifications" ], "content_scripts": [ { "js": [ "./static/js/contentScript.js" ], "run_at": "document_start", "matches": [ "file://*/*", "http://*/*", "https://*/*" ], "all_frames": true } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'; style-src 'self' 'unsafe-hashes' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='" }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "inpage.js", "onboarding/onboarding.html" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.