Cryptomining has become a lucrative industry, growing more and more mainstream. Now, attackers are trying to grab a bit of that cash with apps that claim to automate it. But when downloaded, the apps don’t do anything except take your money.

Lookout found that a total of 172 apps, including 25 on Google Play, promised users cloud-based cryptomining services for a fee. In truth, those apps never delivered those services.

Take a look at how these apps succeeded in stealing over $350,000 from nearly 100,000 victims.

Inside the BitScam and CloudScam Apps

Lookout did a deep dive into two types of apps, which they sorted into the BitScam and CloudScam families. All of these used a similar code base and design as one another despite advertising different cryptomining operations.

“They are simply shells to collect money for services that don’t exist,” Lookout reported.

Lookout’s researchers observed that whoever had created the BitScam apps had done so using a framework that didn’t require programming experience. Both apps asked users to use Google Play’s in-app billing system to purchase cryptomining subscriptions and services. BitScam also allowed users to pay using bitcoin and Ethereum.

Once installed, the apps loaded a dashboard that displayed a fake hash mining rate as well as the amount of coins that the users had supposedly earned. They also informed users that they could increase their hash mining rate by purchasing other services or subscription upgrades.

It was all a ruse, of course. The in-app updates did nothing to change the mining ‘rate’ either.

What’s more, the apps prevented users from withdrawing any of their mined ‘coins’. The programs displayed a message saying that the withdrawal was pending, but in the background, the apps reset the user’s coin balance to zero.

Other Fake Cryptomining Apps

While cryptocurrency is in the public eye more now than when it began, this kind of app has been around for years. Back in 2018, for instance, security researcher Lukas Stefanko discovered four apps that all impersonated cryptocurrency services. They leveraged that guise to steal users’ cryptocurrency wallet credentials and/or to trick them into sending money to the attackers.

Several years later, Intezer Labs came across an operation targeting users with fake cryptocurrency-related apps. Once installed, those apps dropped ElectroRAT, a Golang-based malware strain which targeted Windows-, macOS- and Linux-based systems.

How to Defend Against Cryptomining Scam Apps

Security teams can help their organizations to protect their employees against threats like BitScam and CloudScam using ongoing awareness training. They can use it to educate their employees about mobile security best practices, such as downloading apps from trusted developers only and installing apps from only an official app store. They can also draw on threat intelligence to keep their users up to date on some of the newest mobile threats.

More from News

Costa Rica State of Emergency Declared After Ransomware Attacks

In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack. Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The…

Ransomware-as-a-Service Transforms Gangs Into Businesses

Malware-as-a-Service is getting easier and easier to access, according to a recent threat report. Self-named the ‘Eternity Project’, this cyber threat group offers services from a Tor website and on their Telegram channel. They sell a wide variety of malware in an organized fashion, including stealer, clipper, worm, miner, ransomware and distributed-denial-of-service bot services. This alarms many security professionals. With Eternity, even inexperienced cyber criminals can target victims with a customized threat offering. Eternity sells malware for $90 to $490.…

UK Health System Email Accounts Hijacked to Steal Microsoft Logins

Last summer, I noticed password reset notices in my email account that I didn’t send. I quickly realized that I was the victim of an account takeover. This happens when someone illegally gains access to your account, typically through compromised credentials. I changed my email password right away and learned that my passwords to other accounts had already been changed. To make cleanup even more fun, I found out that the attackers had created new accounts using my credentials. Account…

LemonDuck Cryptojacking Botnet Targets API Security Gap

A recent report reveals the well-known crypto mining botnet LemonDuck can target Docker to secretly mine cryptocurrency on the Linux platform. LemonDuck targets Microsoft Exchange servers to mine crypto, escalate privileges and move sideways in compromised networks. It takes advantage of Docker, a mainstream platform used for building, running and managing containerized workloads. Since Docker runs container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Attackers can then exploit this API to…