Cryptomining has become a lucrative industry, growing more and more mainstream. Now, attackers are trying to grab a bit of that cash with apps that claim to automate it. But when downloaded, the apps don’t do anything except take your money.

Lookout found that a total of 172 apps, including 25 on Google Play, promised users cloud-based cryptomining services for a fee. In truth, those apps never delivered those services.

Take a look at how these apps succeeded in stealing over $350,000 from nearly 100,000 victims.

Inside the BitScam and CloudScam Apps

Lookout did a deep dive into two types of apps, which they sorted into the BitScam and CloudScam families. All of these used a similar code base and design as one another despite advertising different cryptomining operations.

“They are simply shells to collect money for services that don’t exist,” Lookout reported.

Lookout’s researchers observed that whoever had created the BitScam apps had done so using a framework that didn’t require programming experience. Both apps asked users to use Google Play’s in-app billing system to purchase cryptomining subscriptions and services. BitScam also allowed users to pay using bitcoin and Ethereum.

Once installed, the apps loaded a dashboard that displayed a fake hash mining rate as well as the amount of coins that the users had supposedly earned. They also informed users that they could increase their hash mining rate by purchasing other services or subscription upgrades.

It was all a ruse, of course. The in-app updates did nothing to change the mining ‘rate’ either.

What’s more, the apps prevented users from withdrawing any of their mined ‘coins’. The programs displayed a message saying that the withdrawal was pending, but in the background, the apps reset the user’s coin balance to zero.

Other Fake Cryptomining Apps

While cryptocurrency is in the public eye more now than when it began, this kind of app has been around for years. Back in 2018, for instance, security researcher Lukas Stefanko discovered four apps that all impersonated cryptocurrency services. They leveraged that guise to steal users’ cryptocurrency wallet credentials and/or to trick them into sending money to the attackers.

Several years later, Intezer Labs came across an operation targeting users with fake cryptocurrency-related apps. Once installed, those apps dropped ElectroRAT, a Golang-based malware strain which targeted Windows-, macOS- and Linux-based systems.

How to Defend Against Cryptomining Scam Apps

Security teams can help their organizations to protect their employees against threats like BitScam and CloudScam using ongoing awareness training. They can use it to educate their employees about mobile security best practices, such as downloading apps from trusted developers only and installing apps from only an official app store. They can also draw on threat intelligence to keep their users up to date on some of the newest mobile threats.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…