Crypto scam: Nearly 100,000 people fleeced by fake cryptomining apps
More than 170 bogus apps give you nothing for something
If some of your cryptocurrency-crazy friends seem a little more sheepish than usual today, it may be because they were scammed by bogus Android apps that promised cloud-based mining services — but delivered nothing.
Mobile security firm Lookout revealed this morning (July 7) that it had found more than 170 different Android apps, 25 of which were in Google Play, that "advertise themselves as providing cloud cryptocurrency mining services for a fee."
- Top cryptocurrency 2021 by value: Bitcoin, Ether, Dogecoin and more
- The best Android antivirus apps
- Plus: Microsoft releases emergency fix for PrintNightmare flaw — what to do
But, Lookout researcher Ioannis Gasparis said in the company's report, "we found that no cloud crypto mining actually takes place."
"Based on our analysis, they scammed more than 93,000 people and stole at least $350,000 between users paying for apps and buying additional fake upgrades and services," said Gasparis.
These scams largely went undetected because they're not malicious. They don't steal data or install malware. Google's malware detectors won't pick them up, and neither will the best Android antivirus apps.
"In fact, they hardly do anything at all," Gasparis wrote. "They are simply shells to collect money for services that don't exist."
A side of virtual hardware with that?
The apps seem to fall into two different groups based on their code, Lookout said, indicating that multiple groups of scammers are cashing in on the cryptocurrency craze.
Sign up to get the BEST of Tom’s Guide direct to your inbox.
Upgrade your life with a daily dose of the biggest tech news, lifestyle hacks and our curated analysis. Be the first to know about cutting-edge gadgets and the hottest deals.
The "BitScam" group of apps will take payment for subscriptions, services and in-app upgrades in Bitcoin and Ethereum tokens (technically violating Google Play's terms of service), while the "CloudScam" group took regular credit-card payments. Upgrades costs as much as $250 for a "virtual hardware" package.
However, both sets of apps blocked users from actually withdrawing any of their "mined" coins. If you tried to withdraw some cryptocash, you'd be told that your balance wasn't sufficiently high enough to allow that.
All 25 of these scam apps that were in Google Play have been removed, Lookout said, but those and about 150 others can still be found in "off-road" app stores. Lookout has a full list of the scam apps here.
What you can, and can't, do about this
Needless to say, if you have any of these apps on your Android phone, go into Settings > Apps & Notifications and select and uninstall them. If you've paid for these apps and/or their services and subscriptions using a credit card, you can try to claw back the fees from your card issuer.
But if you paid using Bitcoin or Ethereum tokens, then you're probably not going to get any of that money back.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.