Android app users targeted with cryptomining scams
Found on Google Play and third-party app stores, the apps discovered by Lookout stole an estimated $350,000 from more than 93,000 people.
More than 170 Android apps, including 25 on Google Play, have been caught trying to scam people by offering cryptomining services for a fee but failing to deliver anything in return. In a report published Wednesday, security firm Lookout described its discovery of these apps, saying that they flew under the radar because they didn’t do anything actually malicious. Rather, they acted as shells to collect money from users for services that they never provided.
SEE: Hiring Kit: Blockchain Engineer (TechRepublic Premium)
Following Lookout’s initial analysis, Google removed the 25 scam apps on Google Play. However, many of the remaining apps are likely still accessible on third-party app stores.
Some mobile security products should be able to detect and block these types of apps. But you run a risk trying to download apps from third-party stores, which don’t offer the security protections found at Google Play.
OK, but what is a cryptomining app, and how is it supposed to work? Cryptomining, short for cryptocurrency mining, uses your computer’s processing power to solve complicated mathematical problems as a way to verify cryptocurrency transactions. In return for volunteering your PC’s resources, you’re supposed to be rewarded with a small amount of cryptocurrency.
Individually, you may contribute only a tiny share of the cryptocurrency mining required. But collectively, you and other people who do this make up a mining pool through which a large volume of mining can be achieved.
A cryptomining app uses your mobile device’s processing power to help mine cryptocurrency. Such apps typically require you to join a mining pool. Through the processing resources available on your phone are small compared with those on your computer, there’s a clear convenience in doing this from a mobile device.
Of course, cybercriminals have gotten into the act with an array of different cryptomining scams. In the example cited by Lookout, criminals set up believable but fake cryptomining services that fail to hold up their end of the bargain. Initially targeting desktop users, the latest scams have been aimed at mobile users.
These mobile-based cryptomining scams are a problem for Android users in particular. In 2018, Apple banned cryptocurrency mining from the iPhone, iPad and Mac. Google, however, still allows the practice, hence a proliferation of Android cryptomining apps.
Classifying the 170 phony apps found into two different families named BitScam and CloudScam, Lookout discovered that the majority of them are paid, some through one-time payments and some through subscriptions. Several apps generate more money by hawking in-app upgrades, additional subscriptions and other services. As such, the bad actors behind the apps are able to collect money upfront without providing anything in return.
So far, the fake cryptomining apps analyzed by Lookout have stolen at least $350,000 from more than 93,000 people. Some $300,000 was snagged by selling the apps, while $50,000 worth of cryptocurrencies was collected from those who paid for phony upgrades and services.
For anyone looking to get involved with cryptomining through a mobile app, Lookout offers the following tips to protect yourself from being scammed.
- Investigate the developer behind the app. If an app interests you, first do some digging into the developer. Find out what certificates or credentials they have and what other apps they offer. Determine if the developer has a website and a way to contact them.
- Get apps from official app stores only. Installing an app from a third-party store can be tempting, but you run a risk. Though far from perfect, Google Play does run security scans and take other measures to try to weed out malicious and scam apps.
- Check the terms and conditions. Read the fine print before you download an app. Many scam apps either provide phony information or fail to present any terms and conditions at all.
- Read user reviews. Users who’ve already downloaded a malicious or scam app will often write a review to warn other people to beware. Make sure you scan all the reviews for any red flags. And watch out for fake reviews that typically offer glowing praise and five stars.
- Understand the app’s permissions and activities. Check out the permissions required to use the app to make sure they sound reasonable.