Cryptocurrency scams on Android: do you know what to watch out for?

The growing prices and popularity of cryptocurrencies don’t just attract masses of potential users, but also inspire cyber-crooks to find new and creative ways to get their sticky fingers on all those virtual coins. Of course, cryptocurrency scams are not exclusive to PCs and have already emerged on the Android platform, using a wide array of disguises.

http://brn.firetrench.com

Fake cryptocurrency exchange apps

Cryptocurrency exchanges are an attractive target for crooks not only due to their popularity with cryptocurrency enthusiasts, but also because many don’t offer a mobile app. Such “unclaimed territory” acts like a magnet for scammers who waste no time coming up with malicious fakes.

Typically, the purpose of such fake apps is to phish for login credentials to the impersonated official exchange. Attackers then use the stolen credentials to take over the compromised accounts. To lure users into giving away their passwords, crooks try to raise as little suspicion as possible – the developer name, app icon and user interface usually mimic those of the legitimate service, and the app may even appear to have a good overall rating thanks to fake reviews.

A recent case of this type of scam are phishing apps impersonating the cryptocurrency exchange Poloniex, discovered on Google Play last year and frequently resurfacing ever since.

https://eu.vocuspr.com/Publish/3428621/vcsPRAsset_3428621_589896_96a929b6-7fdf-4b8f-bcfa-fb07bc04e787_0.png

 

Figure 1 – The fake Poloniex apps on Google Play

 

Fake cryptocurrency wallet apps

Similar phishing schemes also afflict users of cryptocurrency wallets, only instead of a password, the attackers are directly after the wallets’ private keys and phrases. In practice, this means that the stakes are higher for users of cryptocurrency wallets – a stolen password to a cryptocurrency exchange may be reset with the help of the exchange holding the user’s private key, but in the case of a wallet, it’s the private key that gets compromised, with no one else to save the day.

Lately, we’ve observed this kind of malicious behavior in apps impersonating MyEtherWallet, a popular, open-source, Ethereum wallet. The apps, uploaded to Google Play multiple times over recent months, attempt to steal users’ private keys and/or mnemonic phrases using various bogus login forms. Like the Poloniex exchange, MyEtherWallet doesn’t have an official mobile app, which makes it attractive for imposters.

https://eu.vocuspr.com/Publish/3428621/vcsPRAsset_3428621_589897_eeea4a91-2630-4947-b5a9-6daa7f759e23_0.png

Figure 2 – The fake MyEtherWallet apps on Google Play

 

Besides phishing apps, we’ve also analyzed fake cryptocurrency wallets that merely try to trick victims into transferring coins to the attackers’ wallet. Such wallet address scams follow a simple procedure – they pretend to generate a public key for a new wallet and instruct users to send their digital coins to the generated address. If users follow this instruction, they soon find that the coins they sent are gone.

 

https://eu.vocuspr.com/Publish/3428621/vcsPRAsset_3428621_589898_9c164c80-cd8b-4906-a245-7298a4527401_0.png

Figure 3 – Wallet address scam apps targeting users of various cryptocurrencies

 

Android crypto-mining malware

With the recent boom in cryptocurrency mining, the number of Android-based miners has also been rising. Whether a crypto-mining app is considered malicious comes down to consent – are users knowingly using their device for cryptocurrency mining, or is the device being hijacked with someone else making the profit? When the latter is the case, we speak of crypto-mining malware.

Recently, we have discovered that a version of the popular game Bug Smasher, installed from Google Play between 1 and 5 million times, has been secretly mining the cryptocurrency Monero on users’ devices.

https://eu.vocuspr.com/Publish/3428621/vcsPRAsset_3428621_589899_9df8add3-195b-481c-a16e-8f4b229bc183_0.png

 

Figure 4 – The Bug Smasher app with hidden mining functionality

 

Fake crypto-miners and free giveaways

A separate category of cryptocurrency scams belongs to apps that pretend to mine cryptocurrency for the user, but in reality don’t do much else than display ads. Some of the fake miners we’ve analyzed also try to trick users into rating them with 5 stars. While these apps aren’t malware per se, we consider them unwanted due to their deceptive nature.

Interestingly, the fraudsters behind some fake miners don’t seem to worry about the infeasibility of their promises – besides countless fake bitcoin miners, we have also found apps that promise to mine the cryptocurrency Ripple (XRP), a non-minable currency by definition.

https://eu.vocuspr.com/Publish/3428621/vcsPRAsset_3428621_589900_131ddab3-5c8b-4114-a323-bb3098fcaae0_0.png

 

Figure 5 – Fake Ripple miners on Google Play

 

All the apps mentioned above are detected and blocked by ESET systems and have been suspended from the Google Play store. Users with Google Play Protect enabled are protected via this mechanism.

 

How to stay safe

Here’s what you can do to avoid falling victim to cryptocurrency scams on Android:

  • Treat cryptocurrency exchanges and wallets with the same level of caution as your mobile banking apps.
  • When downloading a mobile app for a cryptocurrency exchange or wallet, make sure the service really offers a mobile app. The official app should be linked on the service’s official website.
  • If the option is available, use 2-factor-authentication to protect your exchange or wallet accounts with an extra layer of security.
  • When downloading apps from Google Play, pay attention to their number of downloads, as well as app ratings and reviews.
  • Keep your Android device updated and use a reliable mobile security solution to protect it from the latest threats.

 

To read more about Android-based cryptocurrency scams and their go-to tricks and techniques, read ESET’s whitepaper, Cryptocurrency scams on Android.

You are also welcome to discuss this topic with ESET experts during Mobile World Congress 2018 in Barcelona. You can find them at booth 41 hall 7 during the whole show from February 26th to March 1st.

 

 

IoCs

 

Package name Hash Detection name
com.puissantapps.bugsmasher.free 289E8B3D442BA3B6E3826604D35AC37B Android/Coinminer.Q
com.appybuilder.amal_zaki_meka212.BitcoinWallet 2778B8493E0E71E5AA3CF70E3BB2A3D0 Android/FakeApp.HM
com.appybuilder.amal_zaki_meka212.BitPhonex 955D2E3D4F765BEBE95570AC5581379D Android/FakeApp.HM
com.appybuilder.amal_zaki_meka212.blockchaincoin C1EB276F805F93D5BCE3FCBB722E55AE Android/FakeApp.HM
com.bitcoin.btc.neowallelt F811C48C500A3A01F45334740B74D40C Android/FakeApp.HZ
com.criptomoendas.fa.ethwallet 4AB2E39EC35A6D08CE3249359C504520 Android/FakeApp.HZ
com.libretriunfo.fa.billeterabitcoin E5171496DCDB335379F5F51B576FEB39 Android/FakeApp.HZ
com.libretriunfo.fa.btcwallets 66658D4F035699057E0271960B3F49F5 Android/FakeApp.HZ
com.libretriunfo.fa.litecoinwallet 57A6F8EADAE0D514FA33C92D91629944 Android/FakeApp.HZ
com.wallet.a42coin42.coin4242 C0C9B28ABE57F8FBC71516205AE67F9D Android/FakeApp.HZ
com.wallet.omisego.omisego A964ACED6978BA202CA7B8D98434528A Android/FakeApp.HZ
com.wallet.qtum.qtumwallet C275D99C6CD664FB7B811255114F174D Android/FakeApp.HZ
com.wallet.samouraiwallet.samouraiwallet B15C2140E8DAC2E6799A0C9FDC1857ED Android/FakeApp.HZ
com.wallet.trx.tronwallet 969D36420F64A7B4FD9725711FAFE5D1 Android/FakeApp.HZ
com.wallet.zcashwallet.zcash 9CDFE189E3E3FF0DAC95B60CFF71B58A Android/FakeApp.HZ
com.ether.etherwallet C9D4175E61EBCB22BA8F028F141E18C2 Android/FakeApp.HT
com.myetherwallet B73E2436954C088E5EA0C3FE683EBB48 Android/FakeApp.HV
com.wallet.ether.myetherwallet 05BFD8C85224A680512CB75BD46B8CB4 Android/FakeApp.HV
com.myetherwalletproject 3F85490F886755B6E1BDEAA4BE1F70A4 Android/FakeApp.HV
com.poloniex.PoloApps 49EB93C6DB5858BC692F3C270D0ADA8B Android/FakeApp.HK
com.cryptocurrencytrade.app 290CDFDAEA6BA6F53D60E52EA5C418C2 Android/FakeApp.HK
com.devpolo.app AD4A5355193643AF0169C24911155407 Android/FakeApp.HK
com.poloniex.buysell EA31ABE6E01B1DBB1F4D9EE0A2C0277B Android/FakeApp.HK
com.poloniextrade.com CB5E264A445A83FEA399AC5811FB28EB Android/FakeApp.HK