September 9, 2021 By David Bisson 2 min read

Cryptomining has become a lucrative industry, growing more and more mainstream. Now, attackers are trying to grab a bit of that cash with apps that claim to automate it. But when downloaded, the apps don’t do anything except take your money.

Lookout found that a total of 172 apps, including 25 on Google Play, promised users cloud-based cryptomining services for a fee. In truth, those apps never delivered those services.

Take a look at how these apps succeeded in stealing over $350,000 from nearly 100,000 victims.

Inside the BitScam and CloudScam Apps

Lookout did a deep dive into two types of apps, which they sorted into the BitScam and CloudScam families. All of these used a similar code base and design as one another despite advertising different cryptomining operations.

“They are simply shells to collect money for services that don’t exist,” Lookout reported.

Lookout’s researchers observed that whoever had created the BitScam apps had done so using a framework that didn’t require programming experience. Both apps asked users to use Google Play’s in-app billing system to purchase cryptomining subscriptions and services. BitScam also allowed users to pay using bitcoin and Ethereum.

Once installed, the apps loaded a dashboard that displayed a fake hash mining rate as well as the amount of coins that the users had supposedly earned. They also informed users that they could increase their hash mining rate by purchasing other services or subscription upgrades.

It was all a ruse, of course. The in-app updates did nothing to change the mining ‘rate’ either.

What’s more, the apps prevented users from withdrawing any of their mined ‘coins’. The programs displayed a message saying that the withdrawal was pending, but in the background, the apps reset the user’s coin balance to zero.

Other Fake Cryptomining Apps

While cryptocurrency is in the public eye more now than when it began, this kind of app has been around for years. Back in 2018, for instance, security researcher Lukas Stefanko discovered four apps that all impersonated cryptocurrency services. They leveraged that guise to steal users’ cryptocurrency wallet credentials and/or to trick them into sending money to the attackers.

Several years later, Intezer Labs came across an operation targeting users with fake cryptocurrency-related apps. Once installed, those apps dropped ElectroRAT, a Golang-based malware strain which targeted Windows-, macOS- and Linux-based systems.

How to Defend Against Cryptomining Scam Apps

Security teams can help their organizations to protect their employees against threats like BitScam and CloudScam using ongoing awareness training. They can use it to educate their employees about mobile security best practices, such as downloading apps from trusted developers only and installing apps from only an official app store. They can also draw on threat intelligence to keep their users up to date on some of the newest mobile threats.

More from News

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

State Department releases International Cyberspace and Digital Policy Strategy

3 min read - U.S. Secretary of State Antony Blinken announced the new U.S. International Cyberspace and Digital Policy Strategy during the recent RSA Conference in San Francisco. The strategy emphasizes the role of technology in diplomacy and the urgent need to build international coalitions. “Security, stability, prosperity — they are no longer solely analog matters,” Blinken said at the conference. The new strategy focuses on “digital solidarity” not “digital sovereignty,” Blinken said, emphasizing the importance of collaboration with like-minded nations. Also mentioned was…

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today