The apps have been designed solely to steal money from people who mine cryptocurrencies, said security researchers at Lookout Threat Lab, a cloud security company.
The apps scammed more than 93,000 people and stole at least $350,000 between users paying for apps and buying additional fake upgrades and services, the researchers said, who classified apps into two families that they dubbed “BitScam” and “CloudScam.”
“What enabled [these apps] to fly under the radar is that they don’t do anything actually malicious. In fact, they hardly do anything at all. They are simply shells to collect money for services that don’t exist,” the researchers said in a report.
And the evolution of crypto mining makes scamming easier.
Cryptocurrency mining taps computer processing power to solve complex mathematical problems that verify cryptocurrency transactions. Miners are then typically rewarded with a small amount of cryptocurrency.
Broadly, there are two mining strategies. One is mining pools, where individuals can contribute computing power in order to get cryptocurrency. Cloud mining is the evolution of mining pools. In this case, cloud miners rent cloud computing power – similar to cloud computing.
“Cloud mining introduces both convenience and cybersecurity risks. Because of the simplicity and agility of cloud computing, it is quick and easy to set up a realistic-looking crypto mining service that is really a scam,” the researchers said.
How the scams operate
The majority of fraudulent apps were paid, allowing the scammers to pocket the money from app sales. The apps also offered subscriptions and services that users could pay for via the Google Play in-app billing system.
After logging in, a user would see an activity dashboard that displays the available hash mining rate – the amount of computing power being contributed to the network through mining – as well as how many coins they have “earned.” The hash rate would typically be very low in order to get users to buy upgrades that promise faster mining rates.
“After analyzing the code and network traffic, we discovered the apps display a fictitious coin balance and not the number of coins mined. The value displayed is simply a counter slowly incremented in the app,” the researchers said.
In the BitScam-style scam, users are given the option to buy “virtual hardware” to increase the rate of mining. The cost of virtual hardware ranges from $12.99 – $259.99 and can be purchased either through Google Play or via Bitcoin and/or Ethereum.
Apps were also designed so that users were not “allowed” to withdraw any coins until they reached a minimum balance. And even when a minimum balance was reached, users were not able to withdraw coins, the researchers said.
“The app would display a message telling the user that the withdrawal transaction is pending, but behind the scenes, it simply resets the user’s coin balance amount to zero without transferring any money to the user.”
While the apps have now been removed from Google Play, there are dozens more still being circulated in third-party app stores, the researchers said.
“The scammers running this scheme were able to tap into the existing frenzy created by the hot cryptocurrency market,” according to the report.