Cryptocurrency scams on Android: Do you know what to watch out for?

The recent rise in cryptocurrency scams appearing on the Android platform in disguise has shown that such incidents are not exclusive to PCs and also highlight the importance of knowing what to look out for so you do not unintentionally take part.

The recent rise in cryptocurrency scams appearing on the Android platform in disguise has shown that such incidents are not exclusive to PCs and also highlight the importance of knowing what to look out for so you do not unintentionally take part.

The growing prices and popularity of cryptocurrencies don’t just attract masses of potential users, but also inspire cyber-crooks to find new and creative ways to get their sticky fingers on all those virtual coins. Of course, cryptocurrency scams are not exclusive to PCs and have already emerged on the Android platform, using a wide array of disguises.

Fake cryptocurrency exchange apps

Cryptocurrency exchanges are an attractive target for crooks not only due to their popularity with cryptocurrency enthusiasts, but also because many don’t offer a mobile app. Such “unclaimed territory” acts like a magnet for scammers, who waste no time coming up with malicious fakes.

Typically, the purpose of such fake apps is to phish for login credentials to the impersonated official exchange. Attackers then use the stolen credentials to take over the compromised accounts. To lure users into giving away their passwords, crooks try to raise as little suspicion as possible – the developer name, app icon and user interface usually mimic those of the legitimate service, and the app may even appear to have a good overall rating thanks to fake reviews.

Recent cases of these scams are phishing apps, discovered on Google Play last year and resurfacing frequently ever since, that impersonate the cryptocurrency exchange Poloniex.

Cryptocurrency scams

Figure 1 – The fake Poloniex apps on Google Play

Fake cryptocurrency wallet apps

Similar phishing schemes also afflict users of cryptocurrency wallets, only instead of a password, the attackers are directly after the wallets’ private keys and phrases. In practice, this means that the stakes are higher for users of cryptocurrency wallets – a stolen password to a cryptocurrency exchange may be reset with the help of the exchange holding the user’s private key, but in the case of a wallet, it’s the private key that gets compromised, with no one else to save the day.

Lately, we’ve observed this kind of malicious behavior in apps impersonating MyEtherWallet, a popular, open-source, Ethereum wallet. The apps, uploaded to Google Play multiple times over recent months, attempt to steal users’ private keys and/or mnemonic phrases using various bogus login forms. Like the Poloniex exchange, MyEtherWallet doesn’t have an official mobile app, which makes it attractive for imposters.

Cryptocurrency scams

Figure 2 – The fake MyEtherWallet apps on Google Play

Besides phishing apps, we’ve also analyzed fake cryptocurrency wallets that merely try to trick victims into transferring coins to the attackers’ wallets. Such wallet address scams follow a simple procedure – they pretend to generate a public key for a new wallet and instruct users to send their digital coins to the generated address. If users follow this instruction, they soon find that the coins they sent are gone.

Cryptocurrency scams

Figure 3 – Wallet address scam apps targeting users of various cryptocurrencies

Android crypto-mining malware

With the recent boom in cryptocurrency mining, the number of Android-based miners has also been rising. Whether a crypto-mining app is considered malicious comes down to consent – are users knowingly using their device for cryptocurrency mining, or is the device being hijacked with someone else making the profit? When the latter is the case, we speak of crypto-mining malware.

Recently, we have discovered that a version of the popular game Bug Smasher, installed from Google Play between 1 and 5 million times, has been secretly mining the cryptocurrency Monero on users’ devices.

Cryptocurrency scams

Figure 4 – The Bug Smasher app with hidden mining functionality

Fake crypto-miners and free giveaways

A separate category of cryptocurrency scams belongs to apps that pretend to mine cryptocurrency for the user, but in reality don’t do much else than display ads. Some of the fake miners we’ve analyzed also try to trick users into rating them with 5 stars. While these apps aren’t malware per se, we consider them unwanted due to their deceptive nature.

Interestingly, the fraudsters behind some fake miners don’t seem to worry about the infeasibility of their promises – besides countless fake bitcoin miners, we have also found apps that promise to mine the cryptocurrency Ripple (XRP), a non-minable currency by definition.

Cryptocurrency scams

Figure 5 – Fake Ripple miners on Google Play

All the apps mentioned above are detected and blocked by ESET systems and have been suspended from the Google Play store. Users with Google Play Protect enabled are protected via this mechanism.

How to stay safe

Here’s what you can do to avoid falling victim to cryptocurrency scams on Android:

  • Treat cryptocurrency exchanges and wallets with the same level of caution as your mobile banking apps.
  • When downloading a mobile app for a cryptocurrency exchange or wallet, make sure the service really offers a mobile app. The official app should be linked on the service’s official website.
  • If the option is available, use 2-factor-authentication to protect your exchange or wallet accounts with an extra layer of security.
  • When downloading apps from Google Play, pay attention to their number of downloads, as well as app ratings and reviews.
  • Keep your Android device updated and use a reliable mobile security solution to protect it from the latest threats.

To read more about Android-based cryptocurrency scams and their go-to tricks and techniques, read ESET’s white paper: Cryptocurrency scams on Android.

You are also welcome to discuss this topic with ESET experts during Mobile World Congress 2018 in Barcelona. You can find them at booth 41 hall 7 during the whole show from February 26 to March 1.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center