Community User Submissions - Author: WhoTookMyCrypto.com
2017 was a memorable year for the cryptocurrency industry, as its rapid growth in value drove mainstream media coverage of the industry. Unsurprisingly, this sparked great interest from the general public and cybercriminals. The relative anonymity provided by cryptocurrencies has made them a favorite tool for criminals, who use them to bypass the traditional banking system and are able to avoid financial oversight by regulators.
As users spend more time on their smartphones than desktops, cybercriminals are turning their attention to them. The following content will focus on how scammers are targeting cryptocurrency users through their mobile devices and what users can do to further protect themselves.
Fake cryptocurrency apps
Fake Cryptocurrency Exchange Apps
Perhaps the most well-known case of fake cryptocurrency exchange apps is Poloniex. Before Poloniex launched its official mobile trading app in July 2018, several fake Poloniex exchange apps had appeared on Google Play, which were specifically designed to carry out scams. Many users who downloaded these fake apps had their Poloniex login credentials leaked and their cryptocurrencies stolen. These apps even asked users to provide their Gmail accounts as login credentials. It is important to emphasize that only accounts that did not have two-factor authentication (2FA) set up were affected.
The following steps can help protect you from this type of scam.
Check the official website of the exchange to confirm if they do offer a mobile trading app. If so, use the secure link provided on their website.
Read the reviews and ratings of the software. Fake apps will often have many bad reviews and people reporting scams, so be sure to check before downloading. However, you should also be skeptical of apps that have all the right user ratings and reviews. Any decent app will have some unsatisfactory negative reviews.
Check the app developer information. See if they provide a legitimate company, email address, and website. You should also do an online search on the information provided to see if they are associated with an official exchange.
Check the number of downloads. The number of downloads also needs to be considered here. Because it is impossible for major cryptocurrency exchanges to have only a small number of downloads.
Activate 2FA on your account. While it is not 100% secure, setting up 2FA will provide more protection if your credentials are stolen than if you do not have 2FA set up.
Fake cryptocurrency wallet apps
There are many different types of fake wallet apps. One form is designed to obtain users’ personal information, such as their wallet passwords and private keys.
In some cases, fake apps provide users with previously generated public key addresses. So users deposit funds into these addresses. However, users do not have access to private keys and therefore cannot access the funds they deposited into the public addresses.
Such fake wallets are usually created for major cryptocurrencies such as Ethereum and Neo, and unfortunately, many users have lost their assets as a result. The following steps can help you avoid becoming a victim:
The same precautions mentioned above for exchange apps apply. However, there are some additional precautions you can take when dealing with wallet apps, including ensuring that a brand new address is generated when you first open the app and that you have access to your private keys (or mnemonic seed). Legitimate wallet apps will allow you to export your private keys, and it is also important to ensure that the newly generated key pair has not been compromised. Therefore, you should use reputable software (preferably open source software).
Even if the application is able to provide you with private keys (or seeds), you should verify that you can derive and access public key addresses from them. For example, some Bitcoin wallets allow users to import their private keys or seeds and view the addresses and corresponding assets. To minimize the risk of key and seed leakage, you can do this on a non-networked computer (disconnected from the Internet).
Cryptojacking attack applications
Cryptojacking attacks have always been a favorite of cybercriminals due to their low entry barriers and low overhead costs. In addition, cryptojacking also provides them with potential recurring income. Despite the low processing power of mobile devices compared to PCs, mobile devices still become the main target of cryptojacking attacks.
In addition to cryptojacking browsers, cybercriminals have developed apps that resemble legitimate games, utilities, or educational applications. However, many of these apps are designed to illegally run crypto-mining scripts in the background of the user’s device.
There are also some cryptojacking apps that claim to be legitimate third-party miners, but the mining rewards are not given to users but delivered to the app developers.
To make matters worse, cybercriminals are becoming more sophisticated and continue to deploy more lightweight mining algorithms to avoid detection.
Cryptojacking is very harmful to your mobile device as they can degrade performance and accelerate device wear and tear. In addition, they can act as Trojan horses for malware.
The following measures can be taken to prevent it.
Only download apps from official stores, such as Google Play. Pirated apps are not manually screened and are more likely to contain cryptojacking scripts.
Monitor the phone for excessive battery drain or overheating. If detected, it is recommended to terminate the application that causes the problem.
Update your devices and apps to patch security holes.
Use a cryptojacking-resistant web browser or install reputable browser plugins such as MinerBlock, NoCoin, and Adblock).
If possible, install mobile antivirus software and keep it updated.
Free giveaways and fake cryptocurrency mining programs
These apps pretend to be cryptocurrency miners, but are really just ads. They trick users into thinking that the mining rewards increase over time. This incentivizes users to keep the app open. Some apps even encourage users to leave 5-star ratings to get rewards. Of course, none of these apps actually mine, and users who use them have never received any rewards.
To protect yourself from such software, you need to understand that for most cryptocurrencies, highly specialized hardware (ASICs) is required for mining, which means that mining on a mobile device is not feasible. So even if you can make money from mining, it will be negligible. So, stay away from such applications.
Clipper Application
Such applications will change the cryptocurrency address you copied and replace it with the attacker's forged address. Although the victim can copy the correct payment address, but when they paste it, the correct transaction address will be tampered with by the attacker.
To avoid falling victim to such apps, here are some precautions you can take when processing related transactions.
Double and triple check the address you are going to paste into the recipient field. Blockchain transactions are irreversible, so you should be careful.
It's best to verify the accuracy of the entire address, not just part of it. Some apps are smart enough to paste in an address that's similar to your intended address.
SIM swap fraud
SIM swap scams are carried out by cybercriminals who gain access to the user's phone number. They do this by social engineering mobile phone operators into issuing new SIM cards. The most famous SIM swap scam involved cryptocurrency entrepreneur Michael Terpin. He claimed that he lost over $20 million worth of cryptocurrency due to AT&T's negligence in handling his mobile phone credentials.
If cybercriminals gain access to your phone number, they can bypass all 2FA authentication this way and gain access to your cryptocurrency wallets and exchanges.
Another method cybercriminals use is to monitor your text communications. Flaws in the communications networks can be exploited by criminals to intercept your text messages, which may include second-factor authentication messages sent to you.
This type of attack is particularly worrisome because there is no way the user can take any action, such as downloading fake software or clicking a malicious link.
To prevent yourself from falling victim to this type of scam, here are some protections to consider.
Don't use your phone number for SMS 2FA. Instead, use an app like Google Authenticator or Authy to keep your account secure. Even if a cybercriminal steals your phone number, they can't access these apps. Alternatively, you can use hardware 2FA like a YubiKey or Google's Titan Security Key.
Don't reveal personally identifiable information, such as your mobile phone number, on social media. Cybercriminals can obtain this information and use it to impersonate you elsewhere.
Please do not announce on social media that you own cryptocurrency as this can make you a target, or if your location could be exposed to others, avoid disclosing personal information such as the exchange or wallet you use.
Work with your mobile operator to protect your account. This may mean setting a password on or associated with your account and making sure only someone with the account information can make changes to it. Or, only you can control such changes and disable them from your phone.
WiFi
Cybercriminals are also constantly looking for entry points into mobile devices, especially to target cryptocurrency users. One such entry point is WiFi access. Public WiFi is not secure and users should take precautions before connecting. If not, cybercriminals gain access to data on the user's mobile device. These precautions have been covered in the article on public WiFi.
Concluding Thoughts
Mobile phones have become an integral part of our lives. In fact, they are so closely tied to your digital identity that they can be your biggest vulnerability. Cybercriminals are aware of this and will continue to find ways to exploit it. Protecting your mobile device is no longer optional. It has become a necessity. So take precautions.
