Lookout Threat Lab security analysts have identified more than 170 Android mobile apps, including 26 on Google Play, designed to scam people interested in cryptocurrency. Available to many of them around the world, these mobile applications boast of offering cryptocurrency mining services for a fee. After analyzing them, it turns out that they do not offer any crypto mining services. To protect Android users, Google quickly removed these apps from Google Play. Lookout Mobile Endpoint Security and Lookout Personal Digital Safety customers are protected against these threats.
The purpose of these apps is to extract money from users through legitimate payment processes, never delivering the service they promise. Based on Lookout’s analyzes, they defrauded over 86,000 people and squeezed at least $ 350,000 between users who purchased the apps and those who paid for bogus services and additional upgrades.1 Lookout has categorized these apps in two separate categories, which he called BitScam and CloudScam.
Despite technical distinctions between these two categories, all applications use the same ‘business model’, indicating that multiple criminal actors have launched competing campaigns to target users identically. Most malware executes code that triggers clearly malicious activities, such as exfilitating personal data to a command-and-control server, displaying advertisements outside of the context of the application, or sending text messages. paying. The BitScam and CloudScam apps may have escaped radar because they are not actually doing anything malicious. They don’t actually do anything at all. They are simply used as typos to collect money for services that do not exist.
The evolution of crypto mining makes scams easier
Cryptocurrency mining (or crypto mining) uses the processing power of computers to solve complex mathematical problems that verify cryptocurrency transactions, and miners are then paid with a small amount of cryptocurrency. Common mining strategy is called ‘mining pools’ where individuals participate with their processing power in the production of cryptocurrency and are rewarded in proportion to their contribution.
Cloud mining is the evolution of mining pools just as cloud computing is the evolution of processing in an on-premises data center. Instead of users buying computers and paying utility bills to contribute to a ‘pool’, cloud miners rent out processing power from the cloud. Cloud mining introduces both simplicity and cyber security risks. Due to the simplicity and agility of cloud computing, it is quick and easy to set up a crypto mining service that looks legitimate but is in fact a scam. Cyber criminals have set up similar schemes to lure computer users and the Lookout Threat Lab has identified the first scam that incorporates this scheme into mobile applications.
How the BitScam and CloudScam apps work
Legitimate cloud mining operations can certainly use a mobile app as their dashboard, and in this case the app can be expected to use high quality code and adhere to secure coding practices. Analysis of the BitScam and CloudScam applications shows a completely different situation. Although they are expected to perform many different mining operations, all of the applications analyzed share a very similar design and coding, which is described below. To illustrate how they show no sophistication, BitScam applications are created using a ‘framework’ that does not require any programming experience.
The majority of BitScam and CloudScam applications are chargeable. This means that the threat actors are pocketing the money from the sales of these applications. Both the CloudScam and BitScam apps also offer crypto mining-related subscriptions and services that users can pay for through the billing system built into Google Play. The difference with BitScam apps is that they also accept Bitcoin and Ethereum payments.
Display of fictitious winnings
After successfully logging in, a user was greeted with a dashboard showing the available ‘hash rate’ as well as the number of cryptocurrencies they had ‘won’. The hash rate displayed was typically very low in order to entice the user to purchase upgrades that promised faster mining rates. This is where both BitScam and CloudScam were making more money by selling upgrades, subscriptions, and additional services.
If the cloud mining had actually been performed in either BitScam or CloudScam, the displayed cryptocurrency amount should have been stored in a secure database in the cloud and queried via an API. After analyzing the code and network traffic, Lookout discovered that the apps were showing a fictitious balance of cryptocurrencies and not the number of cryptocurrencies mined. The value displayed was simply a slowly incremented counter in the application. In some of the applications analyzed, this only happened when the application was running in the foreground and the counter was often reset when the mobile terminal or the application was restarted.
In the CloudScam “BTC Cash” application, the GHash / sec is simply a counter that resets to zero after reaching the number ten. This does not initiate any activity from cloud services. Payment activities
A BitScam application featuring “virtual hardware” upgrades promising increased mining speeds for the user.
As described above, BitScam users were offered the option of purchasing “virtual hardware” to increase the mining rate. The cost of this ‘virtual hardware’ ranged from $ 12.99 to $ 259.99 and could be purchased either through Google Play or by transferring Bitcoin and / or Ethereum (BCH / BTC and / or ETH) to the developers account.
BitScam applications were designed so that users were not “allowed” to withdraw any cryptocurrency before reaching a minimum result. Even if a user had reached this minimum result, he could not withdraw cryptocurrency, as indicated in some comments on the app store. The app displayed a message telling the user that the transfer transaction was in progress, but behind the scenes it would reset the amount reached by the user to zero without transferring any money to them.
Some other apps frequently reset users’ counter to zero in order to prevent them from reaching the minimum amount. The reset could occur when the mobile terminal restarted, a user disconnected or the application ‘crashed’.
The screenshots below show the checkout function within a CloudScam application. As with BitScam applications, a withdrawal of cryptocurrency is always impossible. Regardless of the amount reached, when a user decides to withdraw cryptocurrencies, they always receive an error message indicating that their amount reached is insufficient.
The “BTC Cash” Cloud Scam application prevents users from withdrawing their reached amount in cryptocurrency.
Much like the BitScam applications, the CloudScam applications offered options allowing users to earn more cryptocurrency at an accelerated rate, such as an “upgrade” to a subscription program with reduced minimum amounts for withdrawals and higher mining rates, referral of friends and payout of 20% of referral friends’ earnings, and daily rewards. None of these options earned users cryptocurrencies. On the contrary, they generated additional income for the crooks behind these applications.
Paying for nothing: Malicious actors exploit the crypto craze
Even though the CloudScam and BitScam apps have now been retired from Google Play, there are still dozens more still in circulation on third-party app stores. In total, their operators generated at least $ 350,000. They squeezed $ 300,000 from the sale of bogus apps and an additional $ 50,000 in cryptocurrency from their victims paying for bogus services and bogus upgrades.1
Buying goods and services online always requires a certain degree of trust in the seller or at least in the app store that processes the transaction. This is true for any online transaction, but it is even more important when it comes to financial services such as cryptocurrency investments.
The crooks behind these schemes were able to exploit the existing craze created by the boom in the cryptocurrency market. But whatever the increase in the valuation of these currencies, caution remains in order before acquiring a mobile crypto mining application.
To unmask crypto mining scammers, the most important thing is to follow the five recommendations below:
1. Know the developers behind the app. What certificates or credentials do they have, what other apps have they created, does the company have a website and are you able to contact them?
2. Install the app from an official app store. Even though scams are hard to spot, downloading from an official app store reduces the risk of receiving malware.
3. Read the General Conditions. Most bogus apps either have bogus terms and conditions or don’t show any
4. Rely on comments from other app users. Reading other users’ comments on the use of the application can be revealing in identifying scams.
5. Understand the permissions and activities of the app. Check for inconsistencies in app activities. Is it asking for permissions it doesn’t need to function? The app crashes or abruptly resets, the amount of cryptocurrency suddenly drops to zero, do the numbers displayed make sense?
Take your time, if an opportunity is too good to be true, it is probably hiding a scam.
1 The $ 300,000 was calculated based on the cost of acquiring an app multiplied by the number of installations of the CloudScam and BitScam apps. The $ 50,000 was calculated using the price of Ethereum and Bitcoin in the market (as of June 2021) and the amount of each currency victims paid. The figure of 86,000 for victims is estimated based on the number of installations of these apps.
2 https: //www.cyber.gov.au/acsc/view -…