Fake Cryptocurrency Mining Apps Trick Victims Into Watching Ads, Paying for Subscription Service
We recently discovered eight deceptive mobile apps that masquerade as cryptocurrency cloud mining applications where users can earn cryptocurrency by investing money into a cloud-mining operation.
Due to an increased number of people who are interested in learning about mining cryptocurrency, cybercriminals are actively exploiting people’s interest not just by deploying cryptocurrency-mining malware, but by creating fake Android apps that target those interested in virtual coins.
We recently discovered eight deceptive mobile apps that masquerade as cryptocurrency cloud mining applications (detected by Trend Micro as AndroidOS_FakeMinerPay and AndroidOS_FakeMinerAd), where users can earn cryptocurrency by investing money into a cloud-mining operation. However, upon analysis, we discovered that these malicious apps only trick victims into watching ads, paying for subscription services that have an average monthly fee of US$15, and paying for increased mining capabilities without getting anything in return. We have reported our findings to Google Play, and the apps have been promptly removed from the Play Store.
These are the fraudulent apps that are now no longer available on the Play Store:
- BitFunds – Crypto Cloud Mining
- Bitcoin Miner – Cloud Mining
- Bitcoin (BTC) – Pool Mining Cloud Wallet
- Crypto Holic – Bitcoin Cloud Mining
- Daily Bitcoin Rewards – Cloud Based Mining System
- Bitcoin 2021
- MineBit Pro - Crypto Cloud Mining & btc miner
- Ethereum (ETH) - Pool Mining Cloud
Two of these are even paid apps that users need to purchase; Crypto Holic – Bitcoin Cloud Mining costs US$12.99 to download, while Daily Bitcoin Rewards – Cloud Based Mining System costs US$5.99.
It’s important to note that upon searching the keywords “cloud mining” on Google Play, we still found numerous concerning applications of the same type. Some of these apps have even been downloaded more than 100,000 times.
Based on Trend Micro Mobile App Reputation Service (MARS) data, more than 120 fake cryptocurrency mining apps are still being used by victims. These apps, which do not have cryptocurrency mining capabilities and deceive users into watching in-app ads, have affected more than 4,500 users globally from July 2020 to July 2021. MARS also detects all of these samples as AndroidOS_FakeMinerPay and AndroidOS_FakeMinerAd.
Technical analysis
Apps with no real cryptomining capability
Our analysis of the abovementioned apps confirmed that they did not have any cryptocurrency-mining behaviour. The fake mining activity on the apps’ user interface (UI) is carried out via a local mining simulation module that includes a counter and some random functions.
Despite these apps not being associated with cloud-mining operations or having any cryptocurrency-mining features, some of these apps prompt users to pay for increased cryptocurrency-mining capabilities via the apps’ in-app billing systems that range from US$14.99 to as high as $189.99. The app called Daily Bitcoin Rewards – Cloud Based Mining System prompts its users to upgrade their cryptomining capacity by “buying” their favourite mining machines to earn more coins at a faster rate.
Deception at its finest: Game posing as a cryptomining app
Some of these fraudulent applications are listed under the Play Store’s finance category and are described as cloud mining applications on the applications’ display pages.
However, one of these apps’ terms of use states that the app is merely a game that does not have any cryptocurrency-mining functionality. Hence, it will not be obligated to issue cryptocurrency payments to its users. It also does not guarantee a firm return for any virtual goods and features purchased in the app.
If users relied solely on how the application’s UI is configured and designed and didn’t read the app’s terms of use, they may have used it and made in-app purchases without knowing that it’s just a game.
Fraudulent ad clicks
Our investigation also found that some of these fake cryptomining applications prompted its users to click on ads instead of prodding them to pay for increased computing power. These apps, namely Bitcoin (BTC) – Pool Mining Cloud Wallet and Bitcoin 2021, have the following malicious features:
- The interfaces are flooded with ads.
- Users are prompted to click on ads during fraudulent cryptomining activities to prove that users are not robots.
- Users are informed that they can start mining after viewing video ads within the app.
- Users are informed to watch in-app video ads to increase mining speed.
No cryptocurrency withdrawals supported
Unfortunately, even if users browse in-app ads, they won’t get any revenue. Users are prompted to invite several friends to download the app to unlock the withdrawal interface.
However, even after users are able to invite friends and unlock the withdrawal interface, they wouldn’t be able to withdraw cryptocurrency from the app as it is always in a waiting state. For example, the Bitcoin (BTC) – Pool Mining Cloud Wallet app accesses a link that responds to users’ withdrawal requests:
This link is easily accessible on any browser. The cryptocurrency value and withdrawal amount can also be easily altered.
How to recognise a fake cryptocurrency-mining app
The volatility of the cryptocurrency market is not it’s only risk — those interested in mining cryptocurrency must also be aware of the fraudulent cryptocurrency-mining apps.
We provide some helpful tips to determine whether a cryptomining app is fake or otherwise:
- Carefully read the app’s reviews. Fake apps will receive numerous 5-star reviews once they are released publicly, but don't be fooled by these as they may be false and paid-for reviews. Pay more attention to 1-star reviews.
- Try to enter an invalid or wrong cryptocurrency wallet address. After extensive analysis, we found that most of the malicious samples only process wallet addresses as non-empty values. Hence, if a user encodes an invalid wallet address and the app accepts it and is able to perform follow-up operations, there is a high probability that the app is fraudulent.
- Restart the app or phone while it is in the process of mining. Most mining actions for fake apps are just simulated with local counters. This means that if a device is restarted after mining starts and the mining application is killed in the background, the system will forcibly clear the counter, resetting it to zero.
- Confirm if there is a withdrawal fee. The transfer of cryptocurrency requires a handling fee, which is relatively high compared to what is typically made from cloud mining. Hence, free withdrawals are very suspicious.
Trend Micro Solutions
To avoid these types of threats, users can turn to security solutions that can alert users of fraudulent applications. Trend Micro™ Mobile Security blocks malicious apps. End users can also benefit from its multilayered security capabilities that secure the device owner’s data and privacy and protect them from ransomware, fraudulent websites, and identity theft.
For organisations, the Trend Micro™ Mobile Security for Enterprise suite provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that exploit vulnerabilities, prevents unauthorised access to apps and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Indicators of compromise (IoCs)
AndroidOS_FakeMinerPay
Package name |
App name |
Number of downloads (prior to being taken down) |
SHA-256 |
com.btc.bitcoin.mining.crypto.miner.android.minebitpro |
MineBit Pro - Crypto Cloud Mining & btc miner 1.0 |
1,000+ |
88e8185e26a6cdde904e77724fb809f2988a9f8cf7903aff854ee684aa633640 |
com.bucks.cryptoholic.activity |
Crypto Holic – Bitcoin Cloud Mining |
500+ |
a2176ae59d771d408bb7445e0965e76dd45a5d4cace69037086283bbdb9e996e |
com.serverpoolbtc.cryptocloudmining.freebitcoincashwallet |
Bitcoin (BTC) – Pool Mining Cloud Wallet |
5,000+ |
12ac2a216f149413b63a508227bb53e149bba9d832c62e4b5e6020ac05a1cada |
com.task.cryptocloudpro |
BitFunds – Crypto Cloud Mining |
100,000+ |
07503f042011c7efa71523e4eb207bfbe8108e6960de1coe8f493052f3f877493 3df1aeda30ebb6918f14dac28106f9e75051a5763de1b0dea24de9211d9ccd6f d64d8ed789ae57983a712ba9b2077727437a270a2e67e4e602df6ffd260c331e d0ee26558438b6d3118aec6daee56d292695a5bec653a204ad65405760eab4coe8 9d0ceddae407f8a69ead4cd0df219111367772f4e2093f616943ff3b406f2da5 6234a51018e2ca49c9d4a1b0a2dbd6a0e517b5ca2f43650dc845afc32aa6846a e58165c0caa5f54460e0516a7c2bbb63be310f60119ae9bf3b8007603b396d2e |
com.serverpooleth.cryptocloudmining.freewalletethereumcash |
Ethereum (ETH) - Pool Mining Cloud |
1,000+ |
cb0c1ab8c0bf4650f6138abc228c15491fddc01c1f0ba7612749c42a62a74799
|
com.freebitcoin.reward.system |
Daily Bitcoin Rewards – Cloud Based Mining System |
200+ |
cf13798ace8bcc59f503e0a094b83d5ff830ecc615044b6f6c5915134638265b
|
com.wMiningForever_13689132 |
Mining Forever |
10,000+ |
c414d081351df33c87279a1895415524e07394e3f99ef2fc80aefbb4b6467c88 |
com.wEthProMiner_13688903 |
Eth Pro Miner |
10,000+ |
90a50b0ab2cd45bc93938d0196165e1da0f709294499be31341f08f32d49a98e 02c5dbe47c3cf2b2af533b9ecba0cc09c6787846dada6cbd3398aed5058766ac 30d53377c80cb0b434f41f35218782f5b30d79fdef0178e3a09998b27d090678 |
AndroidOS_FakeMinerAd
Package name |
App name |
Number of downloads (prior to being taken down) |
SHA-256 |
cloud.pro.btccrypto2021 |
Bitcoin 2021 |
5000+ |
88e8185e26a6cdde904e77724fb809f2988a9f8cf7903aff854ee684aa633640 |
cryptominer.bitcoinminer
|
Bitcoin Miner – Cloud Mining |
50000+ |
13e2d06eba1ff7546c991d5019214dc9b803dfbc38c1aec0f974d45ba7e82cd9d 76d54c3d926bbd261ee28b4e92be9b4b58f08c5230e7df4ecce88c41a8f7ee91 deda27d066965cfdac3d2c71a92978794fa4e47d1c3c7b000d6346a515747a06 8812a14a4eb1a18a5fcd738e87206939d929e5555fa88f3a5f52891702310714 |