ESET researchers have discovered and reported scammers stealing PayPal and Paxful credentials disguised as a tool for YouTube monetization, and a bitcoin trading marketplace.
Would you like to add traffic to your YouTube channel and maybe even get paid for watching YouTube videos? Or are you looking to buy and sell bitcoin “from the comfort of your phone”?
The makers of the apps “Boost Views” and “PaxVendor” want you to believe they have just what you’re looking for. Except they don’t. They’re after your money – in whatever form they can get their hands on it.
Boost Views: Views for YouTube monetization
Under the guise of attractive YouTube-related services, the PayPal credential stealer “Boost Views” found its way onto devices of up to 100,000 users.
The app, detected by ESET as Trojan.Android/FakeApp.FK, promises to generate earnings for watching in-app YouTube content, as well as increase YouTube traffic in exchange for purchasing credits. According to the app description, users can conveniently withdraw accumulated earnings to their PayPal account.
However, if users try to do so by entering their PayPal credentials into an “authentication” form, they will find they’ve become victims of a scam – there are no earnings to be withdrawn. Even worse, their PayPal credentials are now at the attackers’ disposal, open for misuse.
How does it operate?
Once the app is launched, users are asked to create a Boost Views account. After logging in, users can choose one of the services seemingly offered by the app.
For viewing YouTube videos for money – one of the major features advertised by the app – there’s “Viewer”, an in-app video player. Users can view content for $0,0001-0,0005 per minute (as seen during our research), with the current earned sum shown under the video content.
Having generated $0.09 in 16 hours of automatic video playing and having seen no mention of a minimum payout threshold, we tried to withdraw the earned amount.
In order to withdraw money, PayPal credentials must first be entered into an insecure login form for “authentication”. Once victims enter their credentials, they are confronted with an “invalid login” error message and their PayPal credentials are sent unencrypted to a developer’s server.
With the PayPal account now compromised, the victims’ PayPal and/or credit card balance are open for misuse. At the time of writing this article, PayPal hasn’t reported any suspicious activity on the account used for testing the malicious app’s features. This, however, offers little reassurance, knowing your credentials are at someone else’s disposal.
If users wish to purchase credits to exchange for YouTube views, they are offered credit packs found in the app’s shop. While this might be a logical way to use the views generated in the app’s Viewer (and could well be a real functionality), we find the deceptive behavior of the app is reason enough not to hand money – and possibly credit card details – to this developer.
Interestingly, the credit packs are also offered on the developer’s website, with different pricing and invalid hyperlinks leading back to the homepage. The website, as such, appears to be a generic template filled with marketing buzzwords rather than actual content, which only adds to the shadiness of the app observed so far.
While Boost Views aims to infiltrate your PayPal account, “PaxVendor” would like to have access to your bitcoins. The malicious app, detected by ESET as Android/FakeApp.FI, parasites on the legitimate Bitcoin trading marketplace Paxful, which currently only operates on desktop.
PaxVendor uses a bogus login screen to harvest Paxful credentials and offers its victims no real functionality. In only a week’s time, the app reached up to 500 installs, before being pulled from the store on our notice. Apart from reporting the app to Google Play security team, we also contacted Paxful to warn its users about this malicious fake.
How does it operate?
Upon launch, the app instructs users to disable Google authorization or SMS authorization in their Paxful account in order to avoid potential two-factor authentication obstacles.
The fake login screen requests Paxful credentials. When submitted, the user is shown an error screen claiming the app can’t connect to their account.
In the meantime, the credentials are sent to the attackers’ server. Once the attackers get hold of the credentials, they use them to log into users’ Paxful accounts. In our case, someone signed in from Ukraine shortly after the credentials were entered.
How to protect yourself?
If you have downloaded Boost Views and tried to withdraw money via PayPal, we strongly suggest you change your PayPal password immediately. While you’re at it, check your account for suspicious activity and report potential issues to PayPal. You might also want to uninstall the malicious app, found under Settings >Application manager/Apps > Boost Views.
As for PaxVendor, change your Paxful password and review the activity on your account, reporting anything unusual. Proceed with uninstalling the fake app by going to Settings > Application manager/Apps > PaxVendor.
To avoid falling victim to Android malware, there are a couple of principles to stick to when installing apps on your device.
Whenever possible, favor downloading apps from official app stores over unknown sources. Although not flawless, Google Play does employ advanced security mechanisms to keep malware out, which doesn’t have to be the case with alternative stores.
Exercise extra caution when downloading third-party apps offering additional functions to existing applications, as there may be a “catch” in these attractive-sounding offers. With that in mind, avoid inserting sensitive credentials into untrusted login forms of third-party apps.
To verify whether an app is to be trusted, check the popularity of the app by number of installs, ratings and, most importantly, content of reviews. When in doubt, opt for high-quality apps marked as Top Developer or found in the Editor’s Choice category.
Last but not least, use a reputable mobile security solution to protect your device from latest threats.