The integrated endpoint-to-cloud security company Lookout revealed on July 7, 2021, a smartphone crypto-mining scam employed by hundreds of Android apps. Researchers separated these apps into two app families, CloudScam and BitScam. In total, 170 apps were used to con more than 93,000 users and pocket approximately $350,000 through fake feature updates and ‘premium’ features. Twenty-five of these scammy apps were available on Google Play.
Scammers have stolen $300,000 from selling fake apps and $50,000 in crypto coins from users who paid for false services and upgrades. Since the discovery, Google has quickly removed the scammy apps from its store.
Despite belonging to two app families, all apps have used an almost identical business model. Both BitScam and CloudScam apps managed to remain undetected since there was no outward malicious activity. The apps were instead shells that collected money from upgrades and services that never existed. All of the apps had similar designs and code, which required little to no programming experience.
Once users have logged into these apps, they could see the available hash rate and the number of crypto coins they’ve supposedly earned. With CloudScams, scammers lured users into purchasing upgrades to get better mining rates. These apps showed a false coin balance and GHash rates per second, which were only counters that would reset to zero after reaching ten. There was no activity from the cloud services.
BitScam apps did not allow users to withdraw crypto funds until they had reached a minimum balance. Those who managed to reach this balance and tried to withdraw coins were met with a message reporting that the transaction was pending. Meanwhile, the app would reset the number of coins to zero without actually transferring any funds to the users.
BitScam users could pay for nonexistent virtual hardware costing between $12.99 and $259.99 via Google Play or by transferring Ether or Bitcoin to the scammers’ accounts. CloudScam users could upgrade to better subscriptions with higher mining rates and lower minimum withdrawal balance, none of which actually existed. They could also refer a friend for the bogus 20 percent of the friend’s earnings and daily rewards.