Crypto scam: Nearly 100,000 people fleeced by fake cryptomining apps

Business man trader investor analyst using mobile phone app analytics for cryptocurrency financial stock market analysis analyze graph trading data index investment growth chart on smartphone screen.
(Image credit: Insta_Photos | Shutterstock)

If some of your cryptocurrency-crazy friends seem a little more sheepish than usual today, it may be because they were scammed by bogus Android apps that promised cloud-based mining services — but delivered nothing.

Mobile security firm Lookout revealed this morning (July 7) that it had found more than 170 different Android apps, 25 of which were in Google Play, that "advertise themselves as providing cloud cryptocurrency mining services for a fee."

But, Lookout researcher Ioannis Gasparis said in the company's report, "we found that no cloud crypto mining actually takes place." 

"Based on our analysis, they scammed more than 93,000 people and stole at least $350,000 between users paying for apps and buying additional fake upgrades and services," said Gasparis. 

These scams largely went undetected because they're not malicious. They don't steal data or install malware. Google's malware detectors won't pick them up, and neither will the best Android antivirus apps. 

"In fact, they hardly do anything at all," Gasparis wrote. "They are simply shells to collect money for services that don't exist."

A side of virtual hardware with that?

The apps seem to fall into two different groups based on their code, Lookout said, indicating that multiple groups of scammers are cashing in on the cryptocurrency craze. 

The "BitScam" group of apps will take payment for subscriptions, services and in-app upgrades in Bitcoin and Ethereum tokens (technically violating Google Play's terms of service), while the "CloudScam" group took regular credit-card payments. Upgrades costs as much as $250 for a "virtual hardware" package.

However, both sets of apps blocked users from actually withdrawing any of their "mined" coins. If you tried to withdraw some cryptocash, you'd be told that your balance wasn't sufficiently high enough to allow that.

All 25 of these scam apps that were in Google Play have been removed, Lookout said, but those and about 150 others can still be found in "off-road" app stores. Lookout has a full list of the scam apps here.

What you can, and can't, do about this

Needless to say, if you have any of these apps on your Android phone, go into Settings > Apps & Notifications and select and uninstall them. If you've paid for these apps and/or their services and subscriptions using a credit card, you can try to claw back the fees from your card issuer. 

But if you paid using Bitcoin or Ethereum tokens, then you're probably not going to get any of that money back. 

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.