Cryptomining Scam Apps, ‘Stealer’ Trojans Culled from Google Play

There’s a whole lot going on over at the Google Play store. First, Lookout researchers found 170 apps used in cryptomining scams that have snared more than 93,000 victims.

Actually, only 25 were available for download on Google Play; the vast majority are side-loaded. The researchers dropped them into two buckets, BitScam and CloudScam–apps that “advertise themselves as providing cloud cryptocurrency mining services for a fee,” Lookout said in a blog post. On further analysis, the researchers discovered “no cloud cryptomining actually takes place.” Instead, the scammers “pocket the money spent on apps and upgrades without ever delivering the promised services.” Their take so far? More than $350,000.

“These apps were able to fly under the radar because they aren’t actually malware,” said Ioannis Gasparis, staff mobile application security researcher at Lookout.

“Other than the fact that their code is of poor quality, there’s nothing malicious about them,” Gasparis said. “They are simply shells built to collect money for services that don’t exist.”

Still, buyers “should be wary of purchasing services from providers online whether through an app or a website,” Gasparis said.

The actors have no need to go underground. “The whole point of these scams is to target the general public’s interest in cryptocurrency,” he said. “I found evidence in various channels like Medium, Telegram and Twitter promoting similar cryptomining scam apps, with many of them referencing apps found on Google Play.”

The apps Lookout discovered have since been removed from the app store.

But wait, there’s more…

Malware analysts at Dr. Web found that apps from the Google Play store—which, by the way, have been downloaded more than 5.8 million times—stole the credentials of Facebook users. Those, too, have been removed from Google Play but still pose a threat because they can still be found on aggregator sites.

The nine apps (out of 10 discovered) on Google Play included photo editing software, a rubbish cleaner, a fitness program and an image editing app.

“During the course of analyzing these stealer Trojans, we discovered an earlier modification that was spread through Google Play under the guise of an image editing software called EditorPhotoPip, which has already been removed from the official Android app store but is still available on software aggregator websites,” the researchers said, noting that what they call Android.PWS.Facebook.13Android.PWS.Facebook.14 and Android.PWS.Facebook.15 “are native Android apps” which use the Flutter framework, which was designed for cross-platform development. “Despite this, all of them can be considered modifications of the same Trojan since they use identical configuration file formats and identical JavaScript scripts to steal user data,” the analysts wrote.

Despite efforts to weed them out, Google Play is rife with malicious apps or which are a conduit for malicious activity.

“The uncontrolled proliferation of mobile Trojan apps on the Google Play store continues to wreak havoc with credentials and other personally identifiable information (PII) theft from consumers,” said Rajiv Pimplaskar, CRO at Veridium. “While several causes can be identified, a core issue is the software industry’s over-dependence on passwords, which are at the root of over 80% of data breaches and ransomware attacks worldwide.”

David Stewart, CEO at Approov, said to thwart these types of phishing attacks, “app stores can scan for this malware and reject mobile apps which contain it, although this relies on the app stores knowing about the malware and this often only happens after a lot of phishing has already taken place.”

But a lot rests on educating users “to ask the right questions,” like why an app needs a user “to log into Facebook to turn off ads,” he said. “If it smells like a phish, it’s probably phishing.”

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard
Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 142 posts and counting.See all posts by teri-robinson