Based on community safety concerns - by: WhoTookMyCrypto.com


2017 was a remarkable year for the cryptocurrency industry, as its rapid rise in price attracted intense media attention. Unsurprisingly, this has attracted huge interest from both the general public and cybercriminals. The relative anonymity of cryptocurrency has made it a favorite for those who use it to bypass traditional banking systems and avoid financial oversight from regulators.

Considering that people spend most of their time using a smartphone as opposed to a PC, it is not surprising that cybercriminals have focused their attention on it. Further information shows how scammers are targeting cryptocurrency users' smartphones, as well as several steps you can take to protect yourself.


Fake apps

Cryptocurrency exchanges

The most famous example of such software for a smartphone is the mobile application for accessing your Poloniex account. Before the official version launched in July 2018, Google Play already featured several fake apps that were deliberately designed to be indistinguishable from the original. Many users who downloaded and installed these programs had their exchange login credentials compromised and their cryptocurrency stolen. Some applications went further and started asking for a Gmail account. It is important to note the fact that all victims' accounts did not have two-factor authentication (2FA).

You can ensure your safety by doing the following:

  • Visit the exchange's official website to ensure that they actually have a mobile app. If so, use the link provided on their site;

  • Read reviews and ratings. Fake apps often have a lot of bad reviews from scam victims, so be sure to check before installing. However, you should also be skeptical of apps that only have positive ratings and comments. Any legitimate app has its share of negative reviews;

  • Check the app developer, company, email address, and website information. You must verify all information provided and that the application is truly associated with the exchange;

  • Check the number of downloads, this should also be taken into account. It is unlikely that a popular crypto exchange mobile app will have a small number of downloads;

  • Activate 2FA on your account. While this won't protect your account 100%, it will make it much harder for scammers to gain access to it and can go a long way in protecting your funds even if you fall victim to phishing.


Crypto wallets

There are many different fake apps out there. The essence of one type is to obtain personal information from users, such as wallet passwords and private keys.

In some cases, such apps provide pre-generated public addresses and they assume that users can deposit into them. However, in turn, they do not gain access to the private keys and therefore do not own the funds they sent.

Such fake wallets were created exclusively for the most popular cryptocurrencies such as Ethereum, Neo and unfortunately many users have become victims of this.

Precautions to take to avoid becoming a victim:

  • The above operations with applications for accessing the exchange are equally relevant. However, when working with wallets, you should definitely take into account that when you first start, you must receive a new public address and private key (or mnemonic phrases). A real wallet application allows you to export private keys, but you should also ensure that the generation of new key pairs has not been compromised. Therefore, you should use software with an excellent reputation (preferably open source);

  • Even if the application provides you with a private key (or mnemonic phrases), you must ensure that you can use it to access your wallet. For example, some Bitcoin wallets allow users to import their private keys or phrases to visualize addresses and access funds. To minimize the risk of keys and phrases being compromised, you can perform this on an air-gapped computer (without internet access).


Cryptojacking

Cryptojacking has been a clear favorite among cybercrimes due to its low barrier to entry and overhead costs. In addition, it assumes long-term recurring income. Despite having lower processing power compared to PCs, mobile devices are increasingly becoming victims of this attack.

In addition to cryptojacking using a web browser, cybercriminals also develop programs that look like regular gaming, utility or educational applications. However, many of them are designed to silently mine cryptocurrency in the background.

There are also apps that advertise as legitimate mining for your device, but in fact the reward goes to the developer, not the user. To make matters worse, cybercriminals are becoming increasingly sophisticated, developing more insignificant mining algorithms to avoid detection.

Cryptojacking is incredibly dangerous for your mobile devices as it degrades performance and accelerates processor and battery wear. Even worse, it can act as a Trojan horse in addition to other viruses.

The following steps should be taken to protect yourself:

  • Only download apps from official sources such as Google Play. Pirated programs are not pre-checked and most likely contain a cryptojacking script;

  • Monitor your phone's performance in case of rapid battery drain or overheating. If the cause is identified, shut down the applications that cause this;

  • Update your device and applications to fix vulnerabilities in previous firmware versions;

  • Use a web browser that will protect you from cryptojacking or install special extensions such as: MinerBlock, NoCoin and Adblock;

  • If possible, install an antivirus on your smartphone and update it regularly.


Free giveaway and fake mining apps

Some of the programs that “mine cryptocurrency” for their users actually do nothing other than display advertisements. They provide incentives to keep apps open by reflecting increasing rewards over time. Some programs force users to leave a maximum rating in order to receive a reward. Ultimately, none of these platforms were mining and their users will not receive their rewards.

To protect yourself from such scams, you should understand that most cryptocurrencies require highly specialized hardware (ASIC) to mine, meaning that it is not possible to mine on a mobile device. Whatever amounts you get there, they don’t mean anything. Stay away from such apps.


Clipper

These are programs that change the address that you copy and replace it with another one. Thus, although the victim can copy the correct recipient address to process the transaction, it is in turn replaced with the address of the attacker.

To avoid falling victim to such apps, here are some of the precautions you should take into account when sending transactions:

  • Always double, or better yet triple, check the address you paste into the recipient field. All transactions on the blockchain are irreversible, so you should always be careful.

  • It's best to check the entire address, not just parts of it. Some apps are so smart that they use addresses that are very similar to your recipient address.


SIM card replacement

In SIM swapping scams, an attacker gains access to a user's phone number using various social engineering techniques to trick mobile operators into obtaining a new SIM card. The most famous case of such fraud was cryptocurrency entrepreneur Michael Turpin. He alleged that AT&T was negligent in handling his cellphone credentials, causing him to lose over $20 million worth of tokens.

Once a cybercriminal has access to your number, they can use it to bypass any 2FA associated with it, after which they gain access to your wallets and exchange accounts.

Another method that cybercriminals can use is to monitor your SMS messages. Flaws in telecommunications networks allow attackers to intercept your communications, which include a second factor element of authentication.

What's particularly concerning about this attack is that users are not required to take any action, such as downloading fake software or clicking on an infected link.

Precautions to be taken to avoid falling victim to such scams:

  • Do not use your primary mobile number for SMS 2FA. Instead, use apps like Google Authenticator or Authy to protect your account. In this case, cybercriminals will not have access to information even if they have your phone number. Additionally, you can use hardware 2FA using YubiKey or Google Titan;

  • Do not share your identifying information on social media, such as your mobile phone number. This information can be used against you;

  • Do not announce on social networks that you have cryptocurrency, as this will immediately make you a target, if you are already in this position, avoid disclosing other personal information, as well as the exchanges and wallets you use;

  • Agree with your mobile phone provider to protect your mobile number. This may mean having a PIN code or password indicating that only those who know it can make changes to your personal account. In addition, you can agree that changes should occur exclusively in your personal presence.


WiFi

Cybercriminals are constantly looking for weaknesses in your mobile devices, especially if they are related to cryptocurrency. One of these weak points is access to the Internet using WiFi. Public Internet hotspots are not secure and when using them you should not neglect precautions before connecting, otherwise you risk giving access to your device data. We discussed all actions related to ensuring your safety in the article about public WiFi.


Conclusion

Mobile phones have become an integral part of our lives and in fact they are so connected with digital identity that they can become your weak point. Cybercriminals know this and will continue to look for ways to exploit it. Securing your mobile devices is no longer optional as it has become a necessity, so always stay alert and stay safe.