Apps with more than 93,000 installs claim to be mining cryptocurrency – but do nothing.
The race to cash in on the bitcoin boom leads people to take extreme measures. And when cryptocurrencies have an estimated market capitalization of more than $2 trillion, there’s little surprise that cybercriminals are trying every trick in the book to eke out an advantage. So too are ordinary people trying to jump on the hype train of cryptocurrencies before it’s too late to make money.
But not everything is as it seems in this strange world. Security researchers at the Lookout Threat Lab have discovered more than 170 Android apps, including 26 hosted on the Google Play Store, that are scamming people interested in cryptocurrencies. The apps in question advertise themselves as providing cloud cryptocurrency mining services for a fee.
However, after analysing them, Lookout found that no cloud crypto mining actually takes place. Lookout estimates that the apps they discovered have conned their users out of more than $350,000 through payment fees for faked crypto mining.
Where there’s interest, there’s cash
“These apps were able to fly under the radar because they don’t actually do anything malicious,” says Ioannis Gasparis, a mobile application security researcher at Lookout. “They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist. Purchasing goods or services online always requires a certain degree of trust — these scams prove that cryptocurrency is no exception.”
The principle behind the apps, if they were to work as they are advertised, is sound. Cloud mining is a legitimate way that some people try to mine cryptocurrency. Rather than users buying specialised hardware and paying big electricity bills to contribute to a pool, cloud miners rent cloud computing power.
However, the issue with the cloud is that there is little hard evidence needed to prove that you’re actually doing what you say.
Cloud mining services don’t need to point to physical infrastructure to prove to the average user that the money they are spending on mining services is actually being deployed. Cybercriminals have set up similar schemes to steal from desktop users, and Lookout Threat Lab uncovered a similar scam that uses the same principles but packages it in mobile apps.
Codebases indicate potential reskinning
There is some rough evidence that the raft of crypto mining scam apps could well be co-ordinated by a single group, rather than 170 or more different cybercriminals arriving at the same idea for a scam at the same time. Despite supposedly representing many different mining operations, all of the apps Lookout analysed shared a very similar codebase and design. Most of the apps were created using a framework that doesn’t require programming experience. But the user interface was carefully crafted to give off the impression of professionalism – and the lure of real-life returns.
When a user logs into the scam apps, they see the available hash mining rate as well as how many coins they have “earned” to date. The hash rate the apps show is usually low – an attempt to upsell users on upgrades that promise faster mining rates. However, all the data shown isn’t tied to actual mining activity:
“The value displayed is simply a counter slowly incremented in the app,”
Lookout say.
“In some of the apps analysed, we observed this happening only while the app is running in the foreground and is often reset to zero when the mobile device is rebooted or the app restarted.”
Despite all this, there is evidence that a good number of people – nearly 100,000 – have installed the apps in question and handed over money to try and improve their chances of “mining” crypto. Some apps offer in-app purchases that promise to unlock extra power at a cost of $259.99. The lure of striking it rich often makes some of us fork out the cash before thinking about the ramifications; for those people, Lookout has some simple advice: “Take your time, and if a deal is too good to be true, it probably isn’t real.”
