2017 was a remarkable year for the cryptocurrency industry as their rapid increase in valuations propelled them into mainstream media. Unsurprisingly, this garnered them immense interest from both the general public as well as cybercriminals. The relative anonymity offered by cryptocurrencies has made them a favorite amongst criminals who often use them to bypass traditional banking systems and avoid financial surveillance from regulators.
Given that people are spending more time on their smartphones than desktops, it is thus not surprising that cybercriminals have also turned their attention to them. The following discussion highlights how scammers have been targeting cryptocurrency users through their mobile devices, along with a few steps that users can take to protect themselves.
Fake cryptocurrency apps
Fake cryptocurrency exchange apps
The most well-known example of a fake cryptocurrency exchange app is probably the one of Poloniex. Prior to the launch of their official mobile trading app in July 2018, Google Play was already listing several fake Poloniex exchange apps, which were intentionally designed to be functional. Many users that downloaded those fraudulent apps had their Poloniex login credentials compromised, and their cryptocurrencies were stolen. Some apps even went a step further requesting the login credentials of users Gmail accounts. It is important to highlight that only accounts without two-factor authentication (2FA) were compromised.
The following steps can help protect you against such scams.
Check the exchange’s official website to verify if they indeed offer a mobile trading app. If so, use the link provided on their website.
Read the reviews and ratings. Fraudulent apps often have many bad reviews with people complaining about getting scammed, so make sure to check them before you download. However, you should also be skeptical of apps that present perfect ratings and comments. Any legitimate app has its fair share of negative reviews.
Check the app developer information. Look for whether a legitimate company, email address, and website are provided. You should also perform an online search on the information provided to see if they are really related to the official exchange.
Check the number of downloads. The download count should also be considered. It is unlikely that a highly popular cryptocurrency exchange would have a small number of downloads.
- Activate 2FA on your accounts. Although not 100% secure, 2FA is much harder to bypass and can make a huge difference in protecting your funds, even if your login credentials are phished.
Fake cryptocurrency wallet apps
There are many different types of fake apps. One variation seeks to obtain personal information from users such as their wallet passwords and private keys.
Such fake wallets have been created for popular cryptocurrencies such as Ethereum and Neo and, unfortunately, many users lost their funds. Here are some preventive steps that can be taken to avoid becoming a victim:
The precautions highlighted in the exchange app segment above are equally applicable. However, an additional precaution you can take when dealing with wallet apps is to make sure brand new addresses are generated when you first open the app, and that you are in possession of the private keys (or mnemonic seeds). A legitimate wallet app allows you to export the private keys, but it is also important to ensure the generation of new key pairs is not compromised. So you should use a reputable software (preferably open source).
Even if the app provides you a private key (or seed), you should verify whether the public addresses can be derived and accessed from them. For example, some Bitcoin wallets allow users to import their private keys or seeds to visualize the addresses and access the funds. To minimize the risks of keys and seeds being compromised, you may perform this on an air-gapped computer (disconnected from the internet).
Apart from web-browser cryptojacking, cybercriminals are also developing programs that appear to be legitimate gaming, utility or educational apps. However, many of these apps are designed to secretly run crypto-mining scripts in the background.
There are also cryptojacking apps that are advertised as legitimate third-party miners, but the rewards are delivered to the app developer instead of the users.
To make things worse, cybercriminals have become increasingly sophisticated, deploying lightweight mining algorithms to avoid detection.
Cryptojacking is incredibly harmful to your mobile devices as they degrade performance and accelerates wear and tear. Even worse, they could potentially act as Trojan horses for more nefarious malware.
The following steps can be taken to guard against them.
Only download apps from official stores, such as Google Play. Pirated apps are not pre-scanned and are more likely to contain cryptojacking scripts.
Monitor your phone for excessive battery draining or overheating. Once detected, terminate apps that are causing this.
- Keep your device and apps updated so that security vulnerabilities get patched.
Use a web browser that guards against cryptojacking or install reputable browser plug-ins, such as MinerBlock, NoCoin, and Adblock.
If possible, install mobile antivirus software and keep it updated.
Free giveaway and fake crypto-miner apps
These are apps that pretend to mine cryptocurrencies for their users but don’t actually do anything apart from displaying ads. They incentivize users to keep the apps open by reflecting an increase in the user’s rewards over time. Some apps even incentivize users to leave 5-star ratings in order to get rewards. Of course, none of these apps were actually mining, and their users never received any rewards.
Such apps alter the cryptocurrency addresses you copy and replace them with those of the attacker. Thus, while a victim may copy the correct recipient address, the one they paste to process the transaction is replaced by those of the attacker.
To avoid falling victim to such apps, here are some precautions you can take when processing transactions.
- Always double and triple check the address you are pasting into the recipient field. Blockchain transactions are irreversible so you should always be careful.
It is best to verify the entire address instead of just portions of it. Some apps are intelligent enough to paste addresses that look similar to your intended address.
Once cybercriminals have gained access to your phone number, they can use it to bypass any 2FA that relies on that. From there, they can work their way into your cryptocurrency wallets and exchanges.
Another method cybercriminals can employ is to monitor your SMS communications. Flaws in communications networks can allow criminals to intercept your messages which can include the second-factor pin messaged to you.
What makes this attack particularly concerning is that users are not required to undertake any action, such as downloading a fake software or clicking a malicious link.
To prevent falling prey to such scams, here are some steps to consider.
Do not use your mobile phone number for SMS 2FA. Instead, use apps like Google Authenticator or Authy to secure your accounts. Cybercriminals are unable to gain access to these apps even if they possess your phone number. Alternatively, you may use hardware 2FA such as YubiKey or Google's Titan Security Key.
Do not reveal personal identifying information on social media, such as your mobile phone number. Cybercriminals can pick up such information and use them to impersonate you elsewhere.
You should never announce on social media that you own cryptocurrencies as this would make you a target. Or if you are in a position where everyone already knows you own them, then avoid disclosing personal information including the exchanges or wallets you use.
Make arrangements with your mobile phone providers to protect your account. This could mean attaching a pin or password to your account and dictating that only users with knowledge of the pin can make changes to the account. Alternatively, you can require such changes to be made in person and disallow them over the phone.
Mobile phones have become an essential part of our lives. In fact, they are so intertwined with your digital identity that they can become your greatest vulnerability. Cybercriminals are aware of this and will continue to find ways to exploit this. Securing your mobile devices is no longer optional. It has become a necessity. Stay safe.