A new paper has been released showing that Ledger wallets are vulnerable to an exploit that could allow hackers to surreptitiously steal your bitcoin and other altcoins. The exploit allows malware to interfere with the code responsible for generating receiving addresses, and instead of showing you a legitimate address, the hacker's address is inserted instead so they receive the funds when the user confirms the transaction.
According to the paper, the Ledger wallet software is located in a folder that doesn’t require any privileges to access, meaning any malware can get in and cause havoc. The wallet itself doesn't do any integrity checks to ensure that the source files are untouched either. Any malware looking to cause trouble only needs to replace one line of code in the ledger software which can be achieved with less than 10 lines of Python code.
Until Ledger releases a patch, there is a way to ensure you’re sending bitcoin to the correct address. In the bottom right of the Receive screen, a small monitor button can be pressed, which causes the Receive address to show up on the hardware wallet’s screen. This can be used to make sure the address is valid. The same functionality is not present in the Ethereum software that Ledger produces, so you should avoid using it.
The researchers contacted the CEO and CTO of Ledger directly in order to disclose the issue. Eventually, the CTO said that the company would not fix the software but that the company will raise awareness of the issue.