Community Contribution - Author: WhoTookMyCrypto.com


2017 was a remarkable year for the cryptocurrency industry, with their rapidly rising valuations propelling them into the mainstream media. Unsurprisingly, this has led to a huge increase in interest from both the general public and cybercriminals. The relative anonymity offered by cryptocurrencies makes them a favorite of criminals who often use them to bypass traditional banking systems and avoid financial oversight from regulators.

Given that people are spending more time on their smartphones than on their desktop computers, it’s no surprise that cybercriminals have also turned their attention to these devices. The following article will explore how scammers are targeting cryptocurrency users via their mobile devices, as well as some steps users can take to protect themselves.


Fake Cryptocurrency Apps

Fake Cryptocurrency Exchange Platform Apps

Perhaps the most well-known example of a fake cryptocurrency exchange app is Poloniex. Before the launch of their official mobile trading app in July 2018, Google Play already listed several fake Poloniex exchange apps that were intentionally designed to be functional. Many users who downloaded these fraudulent apps had their Poloniex login credentials compromised and their cryptocurrencies stolen. Some apps even went further by asking for users’ Gmail account login details. It is important to note that only accounts without two-factor authentication (2FA) were compromised.

The following steps can help protect you from such scams.

  • Check the official website of the exchange platform to see if it actually offers a mobile trading app. If yes, use the link provided on their website.

  • Read reviews and ratings. Scam apps often have many bad reviews with people complaining about being scammed, so make sure to check these reviews and ratings before downloading an app. However, you should also be skeptical of apps with perfect reviews and ratings. Any legitimate app has its fair share of negative reviews.

  • Check the app developer’s information. Look for a legitimate company, email address, and website provided. It is also advisable to do an online search on the information provided to see if it is really related to the official exchange platform.

  • Check the number of downloads. The number of downloads should also be taken into account. It is unlikely that a very popular cryptocurrency exchange will produce a small number of downloads.

  • Enable 2FA on your accounts. While not 100% secure, 2FA is much harder to bypass and can make a huge difference in protecting your funds, even if your login credentials are compromised (see phishing article).


Fake Cryptocurrency Wallet Apps

There are many types of fake apps. One variation seeks to obtain personal information from users, such as their wallet passwords and private keys.

In some cases, fake apps provide users with pre-generated public addresses. These users then assume that the funds are deposited to these addresses, except that in the end, they do not have access to the private keys and therefore do not have access to the deposited funds.

Examples of these fake wallets have been created for popular cryptocurrencies such as Ethereum and Neo and unfortunately, many users have lost their funds. Here are some preventive measures to take to avoid becoming a victim of these practices:

  • The precautions highlighted above in the paragraph regarding fake exchange apps are also applicable. However, an additional precaution you can take when using wallet apps is to ensure that new addresses are generated when you first open the app and that you are in possession of the private keys (or mnemonics). A legitimate wallet app will allow you to export the private keys, but it is also important to ensure that the generation of new key pairs is not compromised. Therefore, it is advisable to use reputable software (preferably open source).

  • Even if the app provides you with a private key (or mnemonic phrase), you should verify that public addresses can be derived and accessed from them. For example, some Bitcoin wallets allow users to import their private keys or mnemonics in order to view addresses and access funds. To minimize the risk of keys and phrases being compromised, you can do this on an isolated computer (disconnected from the internet).


Stealth Crypto Mining (Cryptojacking) Applications

Stealth crypto mining (cryptojacking) is a favorite among cybercriminals due to the low overhead and low hurdles involved in its implementation. In addition, it offers the potential for long-term recurring revenue. Despite their lower processing power compared to PCs, mobile devices are increasingly being targeted for stealth crypto mining.

In addition to web browser-based crypto hacking, cybercriminals also develop programs that appear to be legitimate, gaming, utility, or educational applications. However, many of these applications are designed to secretly run cryptocurrency mining scripts in the background.

There are also crypto hacking apps that are advertised as legitimate third-party miners, but the rewards are given to the app developer rather than the users.

To make matters worse, cybercriminals have become increasingly sophisticated and have deployed lightweight mining algorithms to avoid detection.

Stealth crypto mining (cryptojacking) is extremely harmful to your mobile devices as it degrades performance and increases wear and tear. Worse yet, they could potentially act as Trojan horses for more nefarious malware.

The following steps can be taken to protect against this:

  • Only download apps from official stores, such as Google Play. Pirated apps do not undergo pre-screening and are more likely to contain stealthy crypto mining scripts.

  • Monitor your phone to make sure the battery isn't draining or overheating. Once you detect these phenomena, close the apps that are causing them.

  • Keep your device and apps up to date to patch security vulnerabilities.

  • Use a web browser that protects against stealth crypto mining or install reputable browser plugins, such as MinerBlock, NoCoin, and Adblock).

  • If possible, install mobile device antivirus software and keep it up to date.


Free gifts and fake cryptocurrency mining apps

These are apps that claim to mine cryptocurrencies for their users, but actually do nothing more than display ads. They entice users to keep the apps open by promising that their rewards will increase over time. Some apps even entice users to leave a 5-star rating in order to get rewards. Of course, none of these apps actually mine, and their users never receive any rewards.

To protect yourself from this scam, be aware that for most cryptocurrencies, mining requires highly specialized hardware (ASIC), which means that it is impossible to mine on a mobile device. Whatever amounts you mine would be trivial at best. Stay away from such apps.


Clipping applications

These apps modify the cryptocurrency addresses you copy and replace them with the attacker's. So, while the victim wants to copy the correct recipient address, the one they paste to process the transaction is replaced with the attacker's.

To avoid falling victim to these apps, here are some precautions to take when processing transactions:

  • Always double or triple check the address you paste into the recipient field. Transactions on the blockchain are irreversible, so you should always be careful about it.

  • It is better to check the entire address instead of just part of it. Some apps are smart enough to paste addresses that look similar to the desired address.


SIM card swap

In a SIM swap scam, a cybercriminal gains access to a user’s phone number. To do this, they use social engineering techniques to trick mobile carriers into issuing them a new SIM card. The most well-known SIM swap scam involved cryptocurrency entrepreneur Michael Terpin. He alleged that AT&T was negligent in its use of his mobile phone credentials, leading him to lose over $20 million worth of tokens.

Once cybercriminals have access to your phone number, they can use it to bypass any 2FA that relies on it. From there, they can access your wallets and cryptocurrency exchanges.

Another method that cybercriminals may use is to monitor your SMS communications. Gaps in communication networks can allow criminals to intercept your messages, which may include the 2FA second factor identification code that you are supposed to receive when you log in.

What makes this attack particularly concerning is that users can fall victim to it without having done anything wrong (unlike other types of scams where the user is tricked into downloading fake software or clicking on a malicious link).

To avoid falling prey to these scams, here are some steps to consider:

  • Don’t use your mobile number for SMS 2FA. Instead, use apps like Google Authenticator or Authy to secure your accounts. Cybercriminals can’t access these apps even if they have your phone number. You can also use a 2FA device like a YubiKey or Google’s Titan Security Key.

  • Don’t share personal identifying information on social media, such as your mobile phone number. Cybercriminals can collect this information and use it to impersonate you elsewhere.

  • You should never advertise on social media that you own cryptocurrencies, as this would make you a target. Or if you are in a position where everyone already knows you own them, avoid disclosing personal information, including the exchanges or wallets you use.

  • Make arrangements with your mobile phone providers to protect your account. This may mean associating a PIN or password with your account and specifying that only users who know the PIN can make changes to the account. You can also require that these changes be made in person and refuse them over the phone.


Wi-Fi

Cybercriminals are constantly looking for entry points into mobile devices, especially those of cryptocurrency users. A prime example is Wi-Fi access. Public Wi-Fi is not secure, and users should take precautions before connecting to it. Otherwise, they risk granting cybercriminals access to the data stored on their mobile devices. These precautions were discussed in the article on public Wi-Fi.


Conclusion

Mobile phones have become an essential part of our lives. In fact, they are so closely linked to your digital identity that they can become our greatest vulnerability. Cybercriminals are aware of this weakness and will continue to find ways to exploit it. Securing your mobile devices is no longer an option. It has become a necessity. Stay safe.