Community Submission - Author: WhoTookMyCrypto.com
2017 was a remarkable year for the cryptocurrency industry as their rapid increase in valuations propelled them into mainstream media. Unsurprisingly, this garnered them immense interest from both the general public as well as cybercriminals. The relative anonymity offered by cryptocurrencies has made them a favourite amongst criminals who often use them to bypass traditional banking systems and avoid financial surveillance from regulators.
Given that people are spending more time on their smartphones than desktops, it is thus not surprising that cybercriminals have also turned their attention to them. The following discussion highlights how scammers have been targeting cryptocurrency users through their mobile devices, along with a few steps that users can take to protect themselves.
Fake cryptocurrency apps
Fake cryptocurrency exchange apps
The most well-known example of a fake cryptocurrency exchange app is probably the one of Poloniex. Prior to the launch of their official mobile trading app in July 2018, Google Play was already listing several fake Poloniex exchange apps, which were intentionally designed to be functional. Many users that downloaded those fraudulent apps had their Poloniex login credentials compromised, and their cryptocurrencies were stolen. Some apps even went a step further requesting the login credentials of users Gmail accounts. It is important to highlight that only accounts without two-factor authentication (2FA) were compromised.
The following steps can help protect you against such scams.
Fake cryptocurrency wallet apps
There are many different types of fake apps. One variation seeks to obtain personal information from users such as their wallet passwords and private keys.
In some cases, fake apps provide previously generated public addresses to users. So they assume funds are to be deposited into these addresses. However, they do not gain access to the private keys and thus do not have access to any funds that are sent to them.
Such fake wallets have been created for popular cryptocurrencies such as Ethereum and Neo and, unfortunately, many users lost their funds. Here are some preventive steps that can be taken to avoid becoming a victim:
Cryptojacking has been a hot favorite amongst cybercriminals due to the low barriers to entry and low overheads required. Furthermore, it offers them the potential for long-term recurring income. Despite their lower processing power when compared to PCs, mobile devices are increasingly becoming a target of cryptojacking.
Apart from web-browser cryptojacking, cybercriminals are also developing programs that appear to be legitimate gaming, utility or educational apps. However, many of these apps are designed to secretly run crypto-mining scripts in the background.
There are also cryptojacking apps that are advertised as legitimate third-party miners, but the rewards are delivered to the app developer instead of the users.
To make things worse, cybercriminals have become increasingly sophisticated, deploying lightweight mining algorithms to avoid detection.
Cryptojacking is incredibly harmful to your mobile devices as they degrade performance and accelerates wear and tear. Even worse, they could potentially act as Trojan horses for more nefarious malware.
The following steps can be taken to guard against them.
Free giveaway and fake crypto-miner apps
These are apps that pretend to mine cryptocurrencies for their users but don’t actually do anything apart from displaying ads. They incentivize users to keep the apps open by reflecting an increase in the user’s rewards over time. Some apps even incentivize users to leave 5-star ratings in order to get rewards. Of course, none of these apps were actually mining, and their users never received any rewards.
To guard against this scam, understand that for the majority of cryptocurrencies, mining requires highly specialized hardware (ASICs), meaning it is not feasible to mine on a mobile device. Whatever amounts you mine would be trivial at best. Stay away from any such apps.
Such apps alter the cryptocurrency addresses you copy and replace them with those of the attacker. Thus, while a victim may copy the correct recipient address, the one they paste to process the transaction is replaced by those of the attacker.
To avoid falling victim to such apps, here are some precautions you can take when processing transactions.
In a SIM swapping scam, a cybercriminal gains access to the phone number of a user. They do this by employing social engineering techniques to trick mobile phone operators into issuing a new SIM card to them. The most well-known SIM swapping scam involved cryptocurrency entrepreneur Michael Terpin. He alleged that AT&T was negligent in their handling of his mobile phone credentials resulting in him losing tokens valued at more than 20 million US dollars.
Once cybercriminals have gained access to your phone number, they can use it to bypass any 2FA that relies on that. From there, they can work their way into your cryptocurrency wallets and exchanges.
Another method cybercriminals can employ is to monitor your SMS communications. Flaws in communications networks can allow criminals to intercept your messages which can include the second-factor pin messaged to you.
What makes this attack particularly concerning is that users are not required to undertake any action, such as downloading a fake software or clicking a malicious link.
To prevent falling prey to such scams, here are some steps to consider.
Cybercriminals are constantly seeking entry points into mobile devices, especially the ones of cryptocurrency users. One such entry point is that of WiFi access. Public WiFi is insecure and users should take precautions before connecting to them. If not, they risk cybercriminals gaining access to the data on their mobile devices. These precautions have been covered in the article on public WiFi.
Mobile phones have become an essential part of our lives. In fact, they are so intertwined with your digital identity that they can become your greatest vulnerability. Cybercriminals are aware of this and will continue to find ways to exploit this. Securing your mobile devices is no longer optional. It has become a necessity. Stay safe.