Fake apps for trading cryptocurrencies from Google Play caught on data theft

    Users of the popular cryptocurrency exchange Poloniex have become the target of a new fraudulent campaign on Google Play. Under the guise of legitimate software exchange in the store distributed two applications for data theft. Fakes allow you to intercept logins and passwords from an account in Poloniex, as well as from an account in Gmail.



    Poloniex is one of the leading exchanges with the ability to trade more than 100 cryptocurrencies. The popularity of the site attracts all kinds of scammers. In this incident, attackers took advantage of the absence of an official mobile application from the exchange.

    Against the background of hype around cryptocurrencies, fraudsters are testing different methods - from the hidden use of the computing power of user machines to extract cryptocurrencies in a browser and infecting unpatched devices to phishing schemes.

    Malicious applications


    The first malicious application entered Google Play under the name POLONIEX from the developer Poloniex. From August 28 to September 19, up to 5,000 users installed it, despite conflicting ratings and negative reviews.

    The second POLONIEX EXCHANGE app from POLONIEX COMPANY appeared on Google Play on October 15 and was installed 500 times. After warning ESET, the fake was removed from the store.

    In addition to Google, we reported scammers at Poloniex.


    Figure 1. Fake applications on Google Play


    Figure 2. Reviews about one of the applications

    Work principles


    To successfully capture an account on the Poloniex exchange using a malicious application, attackers must first obtain credentials. Next is access to the mail account associated with the compromised account on the exchange to manage notifications of logins and transactions. Finally, attackers need to make the fake application look convincing and not cause suspicion.

    Both applications use the same methods to solve these problems.

    Credentials are stolen immediately after the application starts. The fake Poloniex credential entry form is displayed (Figure 3). If the user enters a username and password and clicks on the Sign In button, the data will be sent to the attackers.

    If the user does not use two-factor authentication in Poloniex, attackers gain access to the account. They will be able to carry out transactions on their own, change settings and block user access to the account by changing the password.

    If the user still uses two-factor authentication, his account is protected from hacking. Poloniex provides 2FA through Google Authenticator. Random passwords for entering the account are sent via text messages, voice communication or the Google Authenticator application, to which attackers do not have access.


    Figure 3. Fake login form to steal Poloniex credentials

    Intercepting the username and password from Poloniex, the attackers are trying to gain access to the Gmail account. The user sees the activity, at first glance, from Google, during which they are required to log into their Gmail account for a “two-step security check” (Figure 4). When the user clicks on the login button, the malicious application will ask for permission to view email messages, settings and basic profile information (Figure 5). If the user gives these permissions, the application gains access to incoming emails.

    By gaining access to the Poloniex account and the associated Gmail account, attackers can conduct transactions on behalf of users and delete any unauthorized login and transaction notifications from incoming emails.


    Figure 4. Gmail account login request


    Figure 5. Malicious application requesting access to mail

    Finally, to ensure that normal operation is visible, the application redirects the user to the mobile version of the legitimate Poloniex website. The site requires the user to log in (Figure 6). After logging in, the user can start working with the Poloniex exchange. The application will open a legitimate site every time it starts.


    Figure 6. Mobile version of a legitimate Poloniex website opened by a malicious application

    How to protect yourself?


    If you are a Poloniex user and have installed the above applications, uninstall them. Be sure to change the passwords for your Poloniex and Gmail accounts, if possible, enable two-factor authentication.

    Just in case, we list here the classic recommendations for the prevention of infection:

    • make sure that the service really has its own mobile application (with a link to it from the official site)
    • check application rating and user reviews
    • pay attention to notifications and windows related to Google that appear when working with third-party applications (fraudsters often use the trust of users in the "good corporation")
    • use two-factor authentication as an additional (and often key) security level
    • use reliable mobile security solution


    ESET antivirus products detect fake applications like Android / FakeApp.GV.

    Compromise indicators



    Also popular now: