Community Contribution - Author: WhoTookMyCrypto.com


The year 2017 was historic for the cryptocurrency industry. The strong appreciation of the market meant that the media began to pay much more attention to the space. Naturally, this attracted interest from the general public, but also from cybercriminals. Because they offer a certain degree of anonymity, cryptocurrencies have become one of the favorite alternatives among criminals, who often use them to circumvent traditional banking systems and avoid financial surveillance by regulatory agents.

Given that people are spending more time on their smartphones than on desktop computers, it's no surprise that cybercriminals have also turned their attention to mobile devices. The following discussion highlights how scammers have been targeting cryptocurrency users through their smartphones, as well as some precautions they can take to protect themselves from these attacks.


Scam cryptocurrency apps

Apps fraudulentos de exchanges

The Poloniex case is probably the best-known example of a fraudulent cryptocurrency exchange app. Before the official launch of its trading app in July 2018, Google Play already listed several fake Poloniex brokerage apps, which were intentionally designed to be functional. Several users who downloaded these apps had their Poloniex login information compromised and their cryptocurrencies stolen. Some apps have gone a step further, requesting login information for users' Gmail accounts. It is important to highlight that only accounts without two-factor verification (2FA) were compromised.

The following steps can help protect against these types of scams.

  • Check the broker's official website to make sure they offer a mobile app for trading. If yes, use the link provided on the official website.

  • Read the comments and ratings. Scam apps usually have a lot of negative reviews from people complaining about scams, so check before downloading the app. However, you should also be wary of apps with perfect reviews and ratings. Any legitimate app has a certain percentage of negative reviews.

  • Check the app's developer information. Make sure a legitimate company name, email address, and official website are provided. You should also do some online research on the information presented to make sure it is actually related to the official broker.

  • Check the number of downloads. This information should also be considered, a very popular cryptocurrency exchange is unlikely to have a low number of downloads.

  • Enable two-factor verification (2FA). While not 100% secure, 2FA is much more complicated to bypass and can make a big difference in protecting your funds, even if your login credentials have been phished.


Fake cryptocurrency wallet apps

There are several different types of fake apps. One of these types tries to obtain personal information from users such as their wallet passwords and private keys.

In some cases, fake apps provide pre-generated public addresses to users. Thus, making them understand that funds must be deposited at these addresses. However, they do not gain access to the private keys, and thus do not have access to any funds sent to these addresses.

These types of fake wallets were created for popular cryptocurrencies like Ethereum and Neo, and unfortunately, many users lost their coins. Here are some precautions you can take to prevent yourself from becoming a victim:

  • The precautions highlighted above are equally applicable to the brokerage application segment. However, an additional precaution you can take when dealing with wallet apps is to ensure that new addresses are generated as soon as you open the app for the first time, and that you have possession of the private keys (or mnemonic seeds). A legitimate wallet app allows you to export the private keys, but it is also important to ensure that the generation of new key pairs is not compromised. So you should use an application that has a good reputation (preferably open source).

  • Even if the application provides you with a private key (or seed), you must check whether public addresses can be generated and accessed from it. For example, some Bitcoin wallets allow users to import their private keys or seeds to view addresses and access their funds. In an attempt to minimize the risk of keys or seeds being compromised, you should do this on a computer disconnected from the internet.


Cryptojacking apps

Cryptojacking activity has been a favorite among scammers, due to the low barriers to entry and small expenses required. Furthermore, this type of scam is interesting because it offers the possibility for scammers to generate recurring and long-term income. Despite lower processing power compared to desktop computers, mobile devices are becoming a constant target for Cryptojacking.

In addition to web browser-based Cryptojacking, scammers are also developing games, utility and educational programs that appear legitimate. However, many of these programs are developed to execute scripts (commands) to mine cryptocurrencies secretly.

There are also Cryptojacking apps that are advertised as official miners, but the rewards are given to the app developer rather than the users.

To make matters even worse, scammers are becoming increasingly sophisticated, launching very lightweight mining algorithms to avoid detection.

Cryptojacking activity is extremely harmful to your mobile devices as it  decreases performance and accelerates the wear of internal components. Even worse, it can act as a potential Trojan horse for other, more dangerous infections.

The following steps can be taken to prevent Cryptojacking.

  • Only download applications that are available in official stores, such as Google Play. Pirated apps have not been pre-scanned and are more likely to contain cryptojacking scripts.

  • Monitor your cell phone to identify excessive battery usage or overheating. Once identified, close the applications that are causing the problem.

  • Keep your device and applications properly updated, this way security vulnerabilities will be fixed frequently.

  • Use a web browser that has Cryptojacking protection, or install reputable plugins such as MinerBlock, NoCoin and Adblock.

  • If possible, install antivirus programs and keep them updated.


Fake cryptocurrency mining and sweepstakes apps

These apps pretend to be mining cryptocurrencies for their users, but in reality they do nothing other than display ads. They encourage users to keep apps open by promising supposed rewards over time. Some of them even encourage users to leave 5-star reviews in the store, using the same type of promise. Of course, none of these apps actually mine cryptocurrencies, and their users will never receive any rewards.

To protect yourself against this type of scam, it is necessary to understand that in most cryptocurrencies, mining has as a prerequisite a highly specialized type of hardware, called an ASIC, meaning that it is impossible to mine using a mobile device. Any amount you manage to mine will be tiny at best. Stay away from these apps.


Clipper Apps

These applications change the cryptocurrency addresses you copy and replace them with the attacker's addresses. Thus, while the victim copies the correct address, as soon as he pastes it, it is replaced with a valid address, but one that belongs to the attacker.

To avoid falling victim to apps like this, here are some precautions you can take when processing transactions.

  • Always check the address you are entering in the recipient field at least two or three times. Transactions on the blockchain are irreversible, so you should always be careful.

  • It's better to check the entire address rather than just parts of it. Some apps are smart enough to paste similar addresses to what you intended.


Chip change

In a SIM swap scam, a scammer gains access to a user's phone number. They do this by applying social engineering techniques to trick mobile phone operators into issuing a new SIM card. The most well-known chip swap scam to date involved a cryptocurrency entrepreneur named Michael Terpin. He alleged that the operator AT&T was negligent in managing his telephone credentials, resulting in the loss of coins that had a value equivalent to 20 million US dollars.

Once scammers gain access to your phone number, they can then use it to bypass potential 2FA protection that relies on text messages (SMS). From there, they have access to your cryptocurrency wallets and brokerage accounts.

Another method scammers may use is monitoring your text messages (SMS). Some flaws in communication networks allow criminals to intercept your messages, which may include your 2FA protection password.

What makes this attack particularly worrying is that users are not required to perform any actions, such as downloading fake programs or clicking on infected links.

To avoid becoming yet another victim of such scams, here are some steps to consider.

  • Don't use your phone number to receive 2FA passwords via SMS. Instead, use apps like Google Authenticator or Authy to protect your accounts. Scammers cannot gain access to these apps even if they have your phone number. Another alternative is to use 2FA hardware, such as the YubiKey or Google's Titan Security Key.

  • Do not reveal personal information on social media, such as your phone number. Scammers can use this information to impersonate you elsewhere, whether on social media or physical locations.

  • You should never post on social media that you own cryptocurrencies, this will make you a target. And in case you are in a position where everyone knows you have cryptocurrencies, avoid disclosing personal information, such as the wallets and brokers you use.

  • Negotiate with your mobile phone providers a safer way to protect your account. A good option is to ask for a password or PIN to be attached to your account, so that only those who have this code can make changes to it. Alternatively, you can require that all changes be made in person, prohibiting any changes over the phone.


WiFi

Scammers are constantly looking for vulnerabilities in mobile devices, especially those where the owners have cryptocurrencies. One such vulnerability is WiFi access. Public WiFi is insecure and users must take certain precautions before establishing a connection to it. Otherwise, they are at risk of scammers gaining access to the data on their mobile devices. These precautions were covered in the article on public WiFi.


Final considerations

Mobile phones have become an essential part of our lives. In fact, they are so linked to your digital identity that they can become your greatest vulnerability. Criminals know this and will continue to try to find ways to take advantage of this problem. Protecting your mobile devices is no longer optional, but a necessity. Stay safe.