Cloud Cryptomining Swindle in Google Play Rakes in Cash

At least 25 apps have lured in tens of thousands of victims with the promise of helping them cash in on the cryptomining craze.

Bogus cryptomining apps for Android available for download on Google Play are estimated to have scammed more than 93,400 victims to date, researchers said, stealing at least $350,000.

According to Lookout, the apps – categorized into “BitScam” and “CloudScam” versions – advertise themselves as providing cryptocurrency mining services for a fee. They claim to perform cloud mining — i.e., instead of users buying hardware and paying big electricity bills to contribute to a mining pool, cloud miners rent cloud computing power instead.

However, no such cryptomining actually takes place. In fact, nothing at all takes place.

“These apps were able to fly under the radar because they don’t actually do anything malicious,” said Ioannis Gasparis, a mobile application security researcher at Lookout, in an analysis released on Wednesday. “They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist. Purchasing goods or services online always requires a certain degree of trust — these scams prove that cryptocurrency is no exception.”

In addition to offering the “apps” themselves for a fee, the scammers also promote additional services and upgrades that users can purchase within the apps, either by transferring Bitcoin or Ethereum cryptocurrencies directly to the developers’ wallets (the BitScam version) or via the Google Play in-app billing system (the CloudScam version).

There were 25 such apps found on the official Google Play store and 170 overall when third-party app stores are taken into account. While the cryptomining apps have now been removed from Google Play, those dozens more still available for side-loading continue to lure people in, Gasparis noted. He told Threatpost that he also found evidence in various channels like Medium, Telegram and Twitter promoting similar cryptomining scam apps, with many of them referencing the apps found on Google Play.

“Cloud mining introduces both convenience and cybersecurity risks. Because of the simplicity and agility of cloud computing, it is quick and easy to set up a realistic-looking cryptomining service that is really a scam,” he said in the report. “Cybercriminals have set up similar schemes to steal from desktop users, [but this is] the first scam that packages this scheme into mobile apps.”

Mobile, Socially Engineered Cryptomining Scams: How it Works

Once an app is downloaded and users have set up their accounts, they’re greeted with an activity dashboard that purports to display an “available hash mining rate.” It also shows a counter for how many coins the victims have supposedly earned.

“The hash rate displayed is typically very low in order to lure the user into buying upgrades that promise faster mining rates,” Gasparis noted. Such “virtual hardware” upgrades can range from $12.99 to $259.99, Lookout found. Other “upgrades” include spendier subscription plans with lower minimum withdrawal balances and higher supposed mining rates. Users also are told they’ll earn “20 percent” of their friend’s earnings if they refer someone to the app, and are offered “daily rewards.”

Cloud-mining scam apps examples in Google Play. Source: Lookout.

As for the coin counter, the apps simply display a fictitious balance. In some of the apps analyzed, the counter advanced only when the app was running in the foreground, and was reset to zero when the mobile device was rebooted or the app restarted. Some had finite totals: In the CloudScam app “BTC Cash” for instance, counter resets to zero after counting to ten.

“If cloud mining was actually taking place in either BitScam or CloudScam, we would expect the coin amount displayed to be stored in a secure cloud database and queried via an API,” Gasparis said.

The apps were also designed so that users are blocked from withdrawing any coins until they reached a minimum balance (not that any coins actually exist). And even if that balance were supposedly achieved, the apps simply display a message telling the user that the withdrawal transaction is pending, while resetting the user’s coin balance amount to zero in the background. In some cases the user is presented with an error message saying that the balance is insufficient for withdrawal.

“These apps are not sophisticated,” Gasparis told Threatpost. “The code quality is very poor. In fact, many of them were created using tools that don’t require any coding experience.”

The earliest samples of these crypto-scam apps date back to the second half of 2019, Gasparis told Threatpost, most likely distributed through third-party app stores. He added that since then, it’s likely that competing groups have cropped up to offer their wares in this arena.

“My conclusion that CloudScam and BitScam are run by competing groups is based on the fact that each family has completely different codebases,” he said. “There are a lot of mentions of Android bitcoin miners in general on the Dark Web, though nothing specific to the apps we found.”

Gasparis told Threatpost that he had no insight into remediation for the apps, as in how to stop the subscriptions or recoup any losses. Threatpost has reached out to Google for comment.

“Purchasing goods or services online always requires a certain degree of trust in the vendor or at least the app store processing the transaction,” Gasparis noted in the report. “While this is true for any online transaction, it is even more important with respect to financial services such as cryptocurrency investments. The scammers running this scheme were able to tap into the existing frenzy created by the hot cryptocurrency market. But no matter how high cryptocurrency valuations climb, there is no substitute for appropriate due diligence before purchasing a cryptocurrency mining app.”

How to Spot a Cryptocurrency Scam

When it comes to spotting cryptocurrency scammers, Lookout offered five recommendations:

  1. Know the developers behind the app. What certificates or credentials do they have, what other apps have they built, does the company have a website and are you able to contact them?
  2. Install from an official app store. While scams are hard to spot, downloading from an official store reduces your risk of downloading malware.
  3. Read the terms and conditions. Most of the scam apps either have fake information or don’t have any terms available.
  4. Use other users’ reviews of the app for your benefit. Reading other users’ experience with the app can be eye-opening when it comes to identifying scams.
  5. Understand the app’s permissions and activities. Look for red flags in the app’s activities. Is the app asking for permissions that it doesn’t need to function? Does the app crash or reset abruptly, does the cryptocurrency balance get reset abruptly, do the displayed numbers make sense?

Which Cryptomining Apps Are Scams?

The apps that were available on Google Play and may still be installed on victims’ phones are:

BitScam (18):

  • Top Coins
  • Mr Bitcoin
  • Star BTC
  • Bitcoin Burn
  • Moon BAT
  • Bito Holic
  • Bito Hash
  • BitHash
  • Multi Coins
  • BitcoinCash Miner
  • Airdrop
  • Bright Miner
  • Pink BTC
  • XMR Miner
  • COIN Master
  • ETHMINER PRO
  • crypto cloud mining pro
  • Btc Miner pro

CloudScam (7):

  • Bito Miner
  • Mining Machine
  • BTC CLOUD
  • BTC Cash
  • Black Crypto
  • Cloud Mining
  • Crypto Pro-Miner

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles

API Shadow

Bring Your APIs Out of the Shadows to Protect Your Business

APIs are immensely more complex to secure. Shadow APIs—those unknown or forgotten API endpoints that escape the attention and protection of IT¬—present a real risk to your business. Learn how to identify shadow APIs and take control of them before attackers do.

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.