| Researchers July 7, 2021
July 7, 2021
Cryptocurrencies, once the exclusive domain of an idealistic fringe movement, have recently become attractive to mainstream retail investors. During the COVID-19 pandemic, the valuation of cryptocurrencies rose exponentially, reaching a market capitalization of over $2 trillion. Cybercriminals are always looking for the path of least resistance to make money and cryptocurrencies are now in their crosshairs.
Security researchers at the Lookout Threat Lab have identified over 170 Android apps, including 25 on Google Play, scamming people interested in cryptocurrencies. Many of them available globally, these apps advertise themselves as providing cloud cryptocurrency mining services for a fee. After analyzing them, we found that no cloud crypto mining actually takes place.
The apps’ entire raison d'être is to steal money from users through legitimate payment processes, but never deliver the promised service. Based on our analysis, they scammed more than 93,000 people and stole at least $350,000 between users paying for apps and buying additional fake upgrades and services.1
We classified these apps into two distinct families that we have named BitScam and CloudScam.
Despite the technical distinction between these two families, all of the apps use a similar business model, indicating that multiple criminal actors set up competing businesses to target users in the same manner.
Most malware executes code that performs some clearly malicious activity, such as exfiltrating private information to a command-and-control server, displaying advertisements outside of the app’s context or sending premium text messages.
What enabled BitScam and CloudScam apps to fly under the radar is that they don’t do anything actually malicious. In fact, they hardly do anything at all. They are simply shells to collect money for services that don’t exist.
Samples of CloudScam apps (above) and BitScam apps (below) we found on Google Play.
Cryptocurrency mining (AKA – crypto mining) uses the processing power of computers to solve complex mathematical problems that verify cryptocurrency transactions, and the miners are then rewarded with a small amount of cryptocurrency.2 A common mining strategy is called mining pools, where individuals can contribute computing power in order to get cryptocurrency in return that is proportional to what they contributed.
Cloud mining is the evolution of mining pools just like cloud computing is the evolution of on-premises data center computing. Instead of users buying hardware and paying big electricity bills to contribute to a pool, cloud miners rent cloud computing power.
Cloud mining introduces both convenience and cybersecurity risks. Because of the simplicity and agility of cloud computing, it is quick and easy to set up a realistic-looking crypto mining service that is really a scam. Cybercriminals have set up similar schemes to steal from desktop users and the Lookout Threat Lab team has discovered the first scam that packages this scheme into mobile apps.
While legitimate cloud mining operations could use a mobile app as its dashboard, the app would likely have high-quality code and follow secure coding practices. Our app analysis revealed a disturbing pattern. Despite supposedly representing many different mining operations, all of the apps analyzed shared very similar code and design, which is explained below. To illustrate how unsophisticated these apps are, BitScam apps are created using a framework that doesn’t require programming experience.
The majority of BitScam and CloudScam apps are paid. This means the threat actors pocket the money from those app sales. Both CloudScam and BitScam also offer subscriptions and services related to crypto mining that users can pay for via the Google Play in-app billing system. What makes BitScam different is that its apps also accept Bitcoin and Ethereum as payment options.
Various BitScam and CloudScam apps on Google Play.
After successfully logging in, a user is greeted with an activity dashboard that displays the available hash mining rate as well as how many coins they have “earned.” The hash rate displayed is typically very low in order to lure the user into buying upgrades that promise faster mining rates. This is where both BitScam and CloudScam make more money by selling in-app upgrades, additional subscriptions and services.
If cloud mining was actually taking place in either BitScam or CloudScam, we would expect the coin amount displayed to be stored in a secure cloud database and queried via an API. After analyzing the code and network traffic, we discovered the apps display a fictitious coin balance and not the number of coins mined. The value displayed is simply a counter slowly incremented in the app. In some of the apps analyzed, we observed this happening only while the app is running in the foreground and is often reset to zero when the mobile device is rebooted or the app restarted.
In the CloudScam app “BTC Cash”, the GHash/sec is merely a counter which resets to zero after counting to ten. This does not initiate any activity from cloud services.
As described earlier, BitScam users are given the option to buy “virtual hardware” to increase the rate of mining. The cost of virtual hardware ranges from $12.99 - $259.99 and could be purchased either through Google Play or by transferring Bitcoin and/or Ethereum (BCH/BTC and/or ETH) to the developers’ wallet.
BitScam apps were designed so that users were not “allowed” to withdraw any coins until they reached a minimum balance. Even if someone achieved the minimum balance they wouldn’t be able to withdraw coins, as pointed out by some of the app store reviews. The app would display a message telling the user that the withdrawal transaction is pending, but behind the scenes, it simply resets the user’s coin balance amount to zero without transferring any money to the user.
Some other apps reset users’ coin balance frequently in an attempt to prevent them from reaching the minimum balance. The reset can happen when the mobile device reboots, a user logs out or the app crashes.
Screenshots below show the withdrawal function within a CloudScam app. Just like BitScam, withdrawal is never possible. Regardless of the coin balance, anytime a user decides to withdraw coins they are presented with an error message telling them their balance is insufficient.
A BitScam app displaying “virtual hardware” upgrades that promises the user increased mining speeds.
Cloud Scam app “BTC Cash” prevents users from withdrawing their cryptocurrency balance.
Similar to BitScam, CloudScam apps offer options for users to earn more coins at an increased rate, such as “upgrading” to a subscription plan with lower minimum withdrawal balance and higher mining rates, referring friends and earning “20%” of their friend’s earnings, and daily rewards. None of these options will earn users coins. Instead they result in generating more revenue for the scammers behind these apps.
Screenshots of fake upgrades available in BitScam app “Bito Holic” and CloudScam app “BTC Cash.”
While CloudScam and BitScam apps have now been removed from Google Play, there are dozens more still being circulated in third-party app stores. In total, the operators generated at least $350,000. They stole $300,000 from selling the fake apps and an additional $50,000 in cryptocurrencies from victims paying for fake upgrades and services.1
Purchasing goods or services online always requires a certain degree of trust in the vendor or at least the app store processing the transaction. While this is true for any online transaction, it is even more important with respect to financial services such as cryptocurrency investments.
The scammers running this scheme were able to tap into the existing frenzy created by the hot cryptocurrency market. But no matter how high cryptocurrency valuations climb, there is no substitute for appropriate due diligence before purchasing a cryptocurrency mining app.
When it comes to spotting cryptocurrency scammers, the most important step is following the five recommendations below.
Install from an official app store . While scams are hard to spot, downloading from an official store reduces your risk of downloading malware.
Read the terms and conditions. Most of the scam apps either have fake information or don’t have any terms available.
Take your time, and if a deal is too good to be true, it probably isn’t real.
Red flag examples: Left: One of the CloudScam apps requires users to install additional apps from the developer before they can even start “mining.” The reason in this case is for the user to prove they are human. Right: While scammers use fake reviews to boost the overall rating of their apps, real user reviews can reveal a lot about those apps.
The information provided in this report is based upon discovery tools and methods which are inherently imperfect and though it is our belief the information in this report is accurate at the time of its publishing the information is provided “as is” with all faults, and Lookout Inc., assumes no liability for its accuracy or completeness, or one's use or reliance upon the information contained therein.
1 The $300,000 was calculated based on the cost of purchasing an app multiplied by the total number of CloudScam and BitScam app installations. The $50,000 was calculated using the market price of Ethereum and Bitcoins (as of June 2021) and the number of each currency the victims paid. The 93,000 number of victims is estimated based on the number of installations of these apps.
Ioannis Gasparis Staff Security Intelligence Engineer