Community Contributed Content - Author: WhoTookMyCrypto.com


2017 was a remarkable year for the cryptocurrency industry due to the skyrocketing increase in valuations, which as a result led to extensive exposure in mainstream media. As it could not be otherwise, this circumstance earned them enormous interest from both the general public and cybercriminals. The relative anonymity offered by cryptocurrencies has made them a coveted instrument for these malicious actors, who often use them to bypass traditional banking systems and avoid oversight by regulators.

Given that people tend to spend more time using smartphones than desktop computers, it is not surprising that cybercriminals have turned their attention to the former. Therefore, the following article focuses on the mechanisms used by scammers to access cryptocurrency users through their mobile devices, as well as some measures that the latter can take to protect themselves.


Fake cryptocurrency apps

Fake cryptocurrency exchange apps

The best-known example of a fake cryptocurrency exchange app is probably Poloniex. Before the launch of the official mobile app in July 2018, several fake Poloniex exchange apps could already be found on Google Play - which had been intentionally designed to be functional. Many users who downloaded these fraudulent apps saw their Poloniex access credentials compromised and their cryptocurrencies stolen. Some apps went a step further, even asking users for access credentials to their Gmail accounts. It is necessary to note that only accounts that lacked two-factor authentication (2FA) would ultimately be compromised.

The following steps can help you protect yourself against these types of scams:

  • Check the official website of the exchange to verify that it really offers a mobile trading app. If so, use the link provided by the same website.

  • Read the reviews and ratings. Scam apps often have numerous negative reviews from people complaining about being scammed, so be sure to carry out checks before downloading. Likewise, you should also be skeptical of apps that have excessively positive comments and ratings. Every legitimate app is always accompanied by a fair share of negative reviews.

  • Review the information related to the app developer. Check if references to a legitimate company, website or email are provided. Next, you should carry out an online search of the information provided to verify that it is actually linked to the official exchange house.

  • Check the number of downloads. This detail must also be taken into account because it is unlikely that a very popular exchange house will have a low number of downloads.

  • Activate 2FA authentication on your accounts. Although not 100% secure, 2FA authentication is much harder to bypass and can make a big difference in protecting your funds – even if your login credentials have been compromised by phishing.


Fake cryptocurrency wallet apps

There are many types of fake apps. Among them, those that seek to obtain personal data from users, such as passwords and private keys to their wallets.

In some cases, these are fake apps that provide users with public addresses that had previously been generated. Users will assume that they can safely deposit funds at these addresses, however, as they are not provided with the private keys, they will not be able to access the funds they deposit there.

Fake wallets of this type have been created for popular cryptocurrencies such as Ethereum or Neo, and, unfortunately, many users have lost their funds. Here are some of the precautions you can take to avoid becoming a victim of such scams:

  • The precautions highlighted in the previous section - dedicated to fake exchange apps - are equally valid in this case. However, an additional measure that can be taken when dealing with wallet apps is to ensure that completely new addresses are generated when said apps are opened for the first time, and that one has their corresponding private keys or mnemonic seeds. Legitimate wallet apps will allow you to export your private keys; but it is also important to ensure that the generation of new key pairs is not compromised. Therefore, you should use reputable software (preferably open source).

  • Even if the app provides you with a private key (or seed), you should check if public addresses can be derived and accessed from it. For example, some Bitcoin wallets allow users to import their private keys or seeds to view addresses and access funds. To minimize the risk of keys and seeds being compromised, the ideal is to carry out this operation on an “air-gapped” computer (that is, disconnected from the internet).


Apps de cryptojacking

Cryptojacking has become one of the favorite practices of cybercriminals due to its easy access and low cost, as well as the potential to offer long-term recurring income. Despite their lower processing power compared to PCs, mobile devices are becoming an increasingly common target for cryptojacking.

Aside from web browser cryptojacking, cybercriminals are also developing programs that appear to be completely legitimate functional, educational apps and games. Many of these apps, however, have been designed to secretly run scripts in the background.

There are also cryptojacking apps that are advertised as legitimate third-party mining applications, but whose rewards end up being given to the developers instead of their users.

To make matters worse, criminals have become increasingly sophisticated, which has led them to install lightweight mining algorithms that make their detection extremely difficult.

Cryptojacking is incredibly harmful to mobile devices as it degrades their performance and accelerates wear and tear. Worse still, it can also act as a Trojan horse for other, even more pernicious types of malware.

The following steps may be helpful to protect yourself from cryptojacking:

  • Only download apps from official platforms such as Google Play. Pirated apps have not been pre-scrutinized and are more likely to contain cryptojacking scripts.

  • Monitor your phone to identify excessive battery drain or overheating. Once detected, cancel the apps that cause these effects.

  • Keep your device and apps updated so that potential security vulnerabilities are patched.

  • Use a web browser that protects against cryptojacking or install reputable plug-ins such as MinerBlock, NoCoin and Adblock.

  • If possible, install mobile antivirus software and keep it updated.


Free giveaways and fake crypto mining apps

These are apps that simulate mining cryptocurrencies, but in reality they do nothing except display advertising. They incentivize users to keep apps open by reflecting an increase in rewards over time. Some of these apps even encourage users to leave 5-star reviews as a condition of obtaining the aforementioned rewards. Of course, none of these apps mine effectively, and their users will never receive a real reward.

To protect yourself against this scam, it is necessary to understand that mining most cryptocurrencies requires highly specialized hardware (the famous ASICs), which means that it is not feasible to carry out the operation from a mobile device. And in any case, any amount that could be mined in this way would be trivial. For this reason, we recommend you stay away from any similar app.


Apps portapapeles (clipper apps)

This type of app alters the addresses of the cryptocurrencies that one copies and replaces them with those of the attacker. This way, although the victim can copy a correct receiving address, the one they paste to process the transaction will be replaced by one of the attacker's.

Below, we present a series of measures that you can take when processing your transactions, to avoid being a victim of this type of apps:

  • Always double, or even triple check the address you are pasting into the shipping field. Blockchain transactions are irreversible so you should act with caution at all times.

  • It is best to verify the entire address you provide rather than just parts of it. Some apps are sophisticated enough to paste addresses that look similar to the legitimate one.


SIM swapping

In a SIM swapping scam, the cybercriminal gains access to the user's phone number. They achieve this by using social engineering techniques that allow them to deceive mobile operators and get them to give them a copy of the SIM card. The most famous SIM swapping scam was the one that affected cryptocurrency entrepreneur Michael Terpin - who alleged that AT&T had negligently handed over his mobile phone credentials to third parties, causing him to lose tokens valued at more than 20 million US dollars.

Once criminals gain access to your mobile phone number, they can use it to bypass any 2FA authentication that relies on it. From there, they will make their way into your cryptocurrency wallets and exchange accounts.

Another method that cybercriminals can use is monitoring your communications via SMS. Failures in communications networks can allow criminals to intercept your messages - among which may be the 2FA pin number.

What makes these types of attacks particularly disturbing is that they do not require an active role on the part of the victims - as is the case with downloading fake software or opening malicious links.

To avoid falling for this type of scam, the following measures can be considered:

  • Do not use your mobile phone number for SMS-type 2FA authentications. Instead, use apps like Google Authenticator or Authy to protect your accounts. Cybercriminals will not be able to gain access to these types of apps, not even if they take over your phone number. Alternatively, you can also use hardware 2FA authentications - such as YubiKey or Google's Titan Security Keys.

  • Never reveal personal information - such as your phone number - on social networks. Cybercriminals can take advantage of that information and use it to impersonate you on other sites.

  • You should never announce on social media that you own cryptocurrencies because that can make you a target. If you are in a position where everyone knows you have them, avoid revealing personal information - such as the exchanges or wallets you use.

  • Plan to protect your account with your mobile phone providers. This may include requiring a pin or password for any changes you wish to make to it. Alternatively, you can also request that said changes can only be made in person - making it impossible to execute them by telephone.


WiFi

Cybercriminals are constantly looking for possible ways to access mobile devices, especially those who use cryptocurrencies. One of these potential entry points is WiFi. Public WiFi networks are insecure and users should always take precautions before connecting to them. Otherwise, they risk cybercriminals gaining access to the data stored on their mobile devices. These precautions have been addressed in the article dedicated to public WiFi networks.


Final thoughts

Mobile phones have become a fundamental part of our lives. In fact, they are so intertwined with our digital identity that they can become our main vulnerability. Cybercriminals know this, and that is why they continue to look for mechanisms to exploit them. Protecting your mobile devices is no longer an option, but has become a necessity. Always act with caution.