Security researchers at the Lookout Threat Lab have identified 172 Android apps, 25 of which were hosted on the Google Play Store that have scammed over 93,000 customers of about $350,000 (based on average subscription prices) in the name of Crypto mining.
These apps pose as cloud crypto mining services where customers can subscribe to a cloud mining service for a small subscription fee, except there’s no mining service. They’re blatantly scammed. The lab has classified these apps into two families named BitScam and CloudScam.
Generally, malicious apps either inject code or spam a user with adverts. However, what allowed these apps to get on the Play Store is that they don’t do anything malicious at all. They’re just shells to collect money in the name of crypto mining.
Scammers riding the crypto wave
Cryptocurrency mining is essentially when a computer solves cryptographic or mathematical problems and is awarded a small amount of crypto in return. However, the processing power required to solve these problems is more than your average computer.
This leads investors to pool resources together to build ‘mining farms’ and share the revenue. Obviously, for someone who doesn’t have the means to either invest in beefy hardware or chime into a farm, the approach is off-limits.
This is where these scam apps start acting. CloudScams offer cloud mining services to pay for a cloud mining computer, much like shared web hosting. BitScams are apps that promise additional virtual hardware for prices between $12.99 to $259.99 and promise additional mining returns.
These apps work together, with CloudScams offering a platform for mining and BitScams offering additional hardware to speed things up to scam the user. They might even show a dashboard where you can see and track your current earnings.
After analysing the code and network traffic, researchers found that the apps display fictitious coun balances, which is basically a counter slowly incremented in the app to make it look like you’re mining crypto.
The apps use legitimate payment gateways via Google Pay and can also accept payments via direct transfers of BitCoin or Ethereum to the developer’s wallets.
Google has since removed the apps hosted on the Play Store, but it has no power over apps hosted on third-party sites. Here are a few things you should keep in mind when dealing with such apps.
- Check the developer’s credibility.
- Install apps from an official app store.
- Make sure to go through the terms and conditions. Most scam apps won’t have any or would have fake information.
- Read other’s reviews before installing.
- Check the app’s permissions and activities.
“These apps were able to fly under the radar because they don’t actually do anything malicious. They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist. Purchasing goods or services online always requires a certain degree of trust — these scams prove that cryptocurrency is no exception,” said Ioannis Gasparis, a mobile application security researcher at Lookout