The price of Bitcoin is steadily surging in May and hackers are looking to cash in on the uptick with fake cryptocurrency apps, malware and other related scams.
In May 2019, Bitcoin prices climbed to their highest points this year, with the popular cryptocurrency being worth $8,300 (its highest valuation since September 2018) for one bitcoin. That has malicious actors on the prowl and hungry to attack cryptocurrency investors using a slew of scams, malicious apps, malware and cryptojacking campaigns.
“Not surprisingly, cybercrooks were quick to notice this development and started upping their efforts in targeting cryptocurrency users with various scams and malicious apps,” said Lukas Stefanko, researcher with ESET, on Thursday.
Similar surges in cryptocurrency pricing in 2018 brought about fluctuations of cryptocurrency giveaway scams and cryptominer malware. This year is seeing a spike in cybercrime activity related to this latest bitcoin boom – and that’s even despite the recent shuttering of Coinhive, the company behind the infamous browser-based cryptocurrency miner.
Malicious Apps
One way cybercrooks are looking to scam bitcoin investors is through fake apps, purporting to be cryptocurrency wallet apps used to store, access and share cryptocurrency.
In a recent example, ESET researchers on Thursday said that they have spotted fake apps impersonating cryptocurrency wallets – including Trezor and Coin Wallet – looking to fool cryptocurrency users on Google Play. Both apps have since been removed from Google Play.
One such app on Google Play was impersonating Trezor, a popular cryptocurrency wallet that requires physical authentication via PIN to access stored cryptocurrency. While Trezor’s official app is called “Trezor Manager,” researchers recently discovered a malicious app, called “Trezor Mobile Wallet,” which touted Trezor’s official branding, developer name, category and description.
After installation, the fake app appears on the victim’s phone as “Coin Wallet,” and once launched, the app shows attempts to phish for credentials (email and password).
“Trezor confirmed the fake app did not pose a direct threat to their users… However, they did express concern that the email addresses collected via fake apps such as this one could be later misused for phishing campaigns targeted against Trezor users,” said Stefanko.
Meanwhile, another malicious app, the Coin Wallet app, was using the same server as the fake Trezor app. Coin Wallet was available on Google Play until May 5, and was installed by more than 1,000 users.
Coin Wallet pretends to generate a unique wallet address where users can transfer their coins – but in reality, the address in the app belongs to the attackers’ wallet.
“The app claims it lets its users create wallets for various cryptocurrencies,” said Stefanko. “However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of what we named wallet address scams in our previous research of cryptocurrency-targeting malware.”
Cryptojacking
Last year, researchers noted a major uptick in coin-mining: There was a 1,500 percent increase in cryptomining malware when compared to 2017, according to a December report from eSentire Threat Intelligence.
With bitcoin prices on the rise, that uptick may continue into 2019. Miner software is often used by hackers, who secretly embed the code into websites and then mine cryptocurrency by tapping the CPU processing power of site visitors’ phones, tablets and computers.
In April, a malicious new cryptojacking campaign dubbed Beapy used the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. The attacks – which infected more than 12,000 devices across 732 firms, led to slowdown in enterprise devices’ performance, overheating batteries, and even devices becoming degraded and unusable.
“While enterprises might think they don’t need to worry about cryptojacking as much as more disruptive threats such as ransomware, it could still have a major impact on the company’s operations,” researchers with Symantec, who discovered the campaign, said in an analysis.
Other malware is adopting more cryptocurrency theft capabilities, including a Windows malware dubbed “Razy” discovered earlier this year that works by weaponizing browser extensions in order to perpetrate a range of online scams on unwitting victims.
“If bitcoin continues its growth trend, we can expect more cryptocurrency scam apps to emerge in the official Android app store and elsewhere,” said Stefanko.
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.