Hackers are targeting users of the cryptocurrency exchange Poloniex, with two credential-stealing apps that masquerade as official mobile apps for the service.
ESET researchers discovered them on Google Play, built to not only harvest Poloniex login credentials, but also to trick victims into making their Gmail accounts accessible.
“Poloniex is one of the world’s leading cryptocurrency exchanges with more than 100 cryptocurrencies in which to buy and trade,” the researchers said, in a blog. “With all the hype around cryptocurrencies, cyber-criminals are trying to grab whatever new opportunity they can—be it hijacking users’ computing power to mine cryptocurrencies via browsers or by compromising unpatched machines, or various scam schemes utilizing phishing websites and fake apps.”
Both apps work the same way: First, they display a bogus screen requesting Poloniex login credentials, which are then sent on to the attackers. With the logins in hand, attackers can carry out transactions on the user’s behalf, change their settings or even lock them out of their account by changing their password.
The next step is a prompt, seemingly on behalf of Google, asking them to sign in with their Google account “for two-step security check.” The apps then ask for permission to view the user’s email messages and settings, and basic profile info. If the user grants the permissions, the app gains access to their inbox.
“With access to the user’s Poloniex account as well as to the associated Gmail account, the attackers can make transactions using the compromised account and erase any notifications about unauthorized login and transactions from the victim’s inbox,” the researchers said.
Users with two-factor authentication enabled are safe from attack.
Finally, in order to appear functional, the malicious app directs the user to the mobile version of the legitimate Poloniex website, which requests the user to sign in. After logging in, the user can access and use the legitimate Poloniex website. From then on, the app will only open the legitimate website each time it’s launched. Users are thus none the wiser that criminals have duped them—until money starts disappearing from their accounts.
The first app the security team analyzed was an app simply dubbed POLONIEX, published under the developer name Poloniex. It saw 5,000 installs between August 28 and September 19, despite mixed ratings and bad reviews.
The second app, the similarly straightforwardly named POLONIEX EXCHANGE, from the developer name POLONIEX COMPANY, appeared on Google Play on October 15, and reached up to 500 installs last week.
Both apps have been removed from the store upon ESET’s notification to Google.