The apps exploited legitimate payment processes such as Google Pay to receive money stolen in crypto mining scams. They use these channels to steal users’ money by promising services that they do not deliver.
Lookout researchers estimated that fraudsters scammed over 93,000 users approximately $350,000 in crypto mining scams. The amount includes $300,000 in the cost of purchasing the fake scam Android apps and $50,000 for fake upgrades and services.
Unlike other malicious Android apps, crypto mining fake apps do not perform any malicious activity. The lack of malicious payloads allows them to sneak into Google Play Store and other managed app stores. They also easily evade code-based mobile security solutions that scan for malicious apps on mobile phones.
Most fake crypto mining apps circulate on third-party app stores
The researchers found that only 25 apps involved in crypto mining scams are available on the Google Play store. Although Google removed the apps, crypto mining scams would continue to defraud thousands of investors through third-party stores as the primary distribution channels for fake crypto apps.
The scammers would continue receiving money through other payment processes such as Bitcoin transfers.
Multiple scammers set up competing businesses targeting victims using similar tactics
The researchers noted that the apps had similar designs and business models and shared the same codebase. Most of the fake crypto mining Android apps required fake premium upgrades. Some of the Apps involved in crypto mining scams also demanded downloading additional Android apps from the same developer.
The researchers noted that real crypto mining apps would have quality and sophisticated code and transfer data to APIs through secure communication. However, the Android apps involved in crypto mining scams were developed using a framework that does not require programming knowledge.
Additionally, the apps did not communicate with cloud services to perform actual crypto mining. Instead, the cryptocurrency scam apps had fictitious earning activities.
On logging in, users were presented with the available hash mining rate and the coin amount they have “earned.”
The apps also displayed a fictitious coin balance stored in a counter that was slowly incremented. The counter was reset whenever the app crashed or was restarted. In one app, “BTC Cash,” the counter reset to zero without contacting any cloud API after counting from 0 to 10.
“In some of the apps analyzed, we observed this happening only while the app is running in the foreground and is often reset to zero when the mobile device is rebooted or the app restarted,” researchers said.
The fake wallet apps provided a very low fee to trick the users into upgrading for higher rates, faster mining speeds, and lower minimum withdrawal balance.
They also had a minimum withdrawal balance that users must earn to withdraw their money. They frequently reset this balance to prevent users from reaching the minimum balance.
Even if a user reached the minimum balance, they could not successfully transfer the money. The app displayed an error message and reset the amount without transferring money whenever the user initiated the withdrawal process.
BitScam apps tricked users into buying “virtual hardware” through Google Play or Bitcoin transfer to increase the mining speed. The fake hardware cost between $12.99 – $259.99.
While CloudScam apps tricked users into upgrading to a subscription plan with higher mining rates, and low withdrawal balances, the ability to refer friends and receive 20% of their earnings, and daily rewards.
Lookout security researchers advised users to treat apps with a high level of caution by checking users’ reviews and only downloading apps from official stores.