According to a recent report published by cybersecurity firm ESET, two malicious Android apps were recently removed from the Google Play store, as these were made to look like the official app of popular cryptocurrency exchange Poloniex in an attempt to obtain user credentials and, presumably, steal funds.
The apps, in what was essentially a phishing scam, took advantage of Poloniex not having an official mobile application and having a mobile optimized website. They used Poloniex’s logo and visual identity to fake being an official app, and once credentials were stolen they merely redirected users to the exchange’s mobile website.
Out of the two, the most popular app was named “POLONIEX,” was created by a developer named “Poloniex,” and managed to get as many as 5,000 users to install it. It was available on Google Play for about a month before being removed.
The other app, named “POLONIEX EXCHANGE” was published by “POLONEX COMPANY” and only got as many as 500 installs before being removed. After finding about the existence of these apps, ESET informed Google – which removed them – and Poloniex.
Both apps worked the same way. After being launched, they would ask users to enter their Poloniex login credentials on a phishing page, and then sent users a fake Google prompt, asking them to sign in to their Google Account, for a “two-step security check” that asked for permission to view the user’s email messages, settings, and basic profile information.
Entering their credentials gave the app’s admins enough to takeover a user’s account, and giving the app permissions through the false Google prompt allowed them to freely transact on the stolen accounts, as they could then delete security emails about unauthorized logins or withdrawals. ESETs post reads:
“With access to the user’s Poloniex account as well as to the associated Gmail account, the attackers can make transactions using the compromised account and erase any notifications about unauthorized login and transactions from the victim’s inbox.”
Notably, users who set up two-factor authentication (2FA) and who may have fallen for the phishing scams should be safe, as the bad actors couldn’t access user’s Google Authenticator apps. Nevertheless, it is advised that they revoke the granted access, and that they immediately change their Google and Poloniex passwords.
Other malicious Poloniex apps
ETHNews noted that a third fraudulent Poloniex app may be available on the Google Play store. It’s called “Poloniex – Bitcoin/Digital Asset Exchange” and is offered by a developer dubbed “MIT Service.” As the outlet notes, there’s no reason to believe that the Massachusetts Institute of Technology is affiliated with it. It already has between 1,000 and 5,000 downloads, and also mirrors Poloniex’s mobile website.
In the past, other fake Poloniex apps have been spotted on other platforms, so much so that the exchange’s operators warned users not to use them.
WARNING: We've received reports of a phishing email that links to an impostor site offering a Poloniex desktop application. It is malicious.
— Poloniex Exchange (@Poloniex) May 31, 2016
To stay safe, ESET advised users to make sure the services they use do offer a mobile app, to always pay attention to app ratings and reviews, and to use 2FA. Moreover, users should be cautious of Google prompts as cybercriminals have been known to take advantage of Google’s trustworthy reputation.
Featured image from Shutterstock.