Fake cryptocurrency trading apps on Google Play harvest credentials and steal cash

 

Two phishing apps that were made to look like the official app of popular cryptocurrency exchange Poloniex have been booted off Google Play.

Figure1-1

ESET researchers discovered them on Google Play, built to not only harvest Poloniex login credentials, but also to trick victims into making their Gmail accounts accessible.

Poloniex is one of the world’s leading cryptocurrency exchanges with more than 100 cryptocurrencies in which to buy and trade. That alone makes it an attractive target for fraudsters of all kinds, but in this case, it was its lack of an official mobile app that the criminals used to their advantage.

With all the hype around cryptocurrencies, cybercriminals are trying to grab whatever new opportunity they can – be it hijacking users’ computing power to mine cryptocurrencies via browsers or by compromising unpatched machines, or various scam schemes utilizing phishing websites and fake apps.

Both apps work the same way: First, they display a bogus screen requesting Poloniex login credentials, which are then sent on to the attackers. With the logins in hand, attackers can carry out transactions on the user’s behalf, change their settings or even lock them out of their account by changing their password.

The next step is a prompt, seemingly on behalf of Google, asking them to sign in with their Google account “for two-step security check.” The apps then ask for permission to view the user’s email messages and settings, and basic profile info. If the user grants the permissions, the app gains access to their inbox.

“With access to the user’s Poloniex account as well as to the associated Gmail account, the attackers can make transactions using the compromised account and erase any notifications about unauthorized login and transactions from the victim’s inbox,” the researchers noted.

Users who have fallen for these tricks but have two-factor authentication (2FA) enabled on their Poloniex account should be safe from getting robbed. But, if they’ve given the app access to their Gmail account, they should revoke it and change their password immediately. Changing the compromised Poloniex account password is also a good idea. Removing the malicious apps from your device should also be an obvious good move.

%d bloggers like this: