Users of the Poloniex exchange are warned by ESET that malicious apps on Google Play app store seek to gain access to their accounts. The apps gain the users’ credentials upon installation setup, then direct users to the mobile website of the cryptocurrency exchange. Meanwhile, the criminals take control of the accounts and steal its contents.
Poloniex App Malware
Between the end of August and the middle of October, two different malware apps were released to Google Play and installed by thousands of Android users, as reported on the blog of the Irish branch of the computer security company ESET.
The apps used phishing schemes with authentic-looking images, screen designs, and instruction text to convince users to enter both their Poloniex exchange credentials and Gmail credentials. Poloniex was targeted not only because it is a popular Bitcoin and altcoin exchange, but the company has yet to release any official mobile apps.
Although the number of installations is known, experts have yet to assess the number of users who actually had their account compromised, nor how much cryptocurrency may have been stolen.
The Offending Apps
Beginning August 28, 2017, until its removal on September 19, 2017, a malicious app called “POLONIEX” from the publisher simply called “Poloniex” was installed by as many as 5000 users. Another app called “POLONIEX EXCHANGE” from the “POLONIEX COMPANY” was released on October 15, 2017, and gained nearly 500 downloads before being taken out of the Google Play store.
They both operated in a similar way, as previously described, but for those Poloniex users who had enabled 2FA, they were protected. The phishing scam had no way of accessing the secret seed used in setting up 2FA, nor could it be turned off by them since that would have required a one-time passcode generated by the 2FA.
At least two more suspicious apps have been released and are still available for download. One is called “Poloniex – Bitcoin/Digital Asset Exchange”, while the other is “POLONIEX ®”. Both have very critical ratings and reviews. Also, the support email in each case is directed to a poloniex.com domain to make it appear more authentic, even though Poloniex does not have an official mobile app.
What You Can Do
Firstly, if you have these apps, delete them immediately. Even if you did not use them, consider changing both your Poloniex and Gmail passwords. Additionally, ESET made the following recommendations:
- Make sure the service you’re using really offers a mobile app – if that’s the case, the app should be linked on the service’s official website
- Pay attention to app ratings and reviews
- Be cautious of third party apps triggering alerts and windows appearing to be connected to Google – misusing users’ trust towards Google is a popular trick among cybercriminals
- Use 2FA for an additional (and often crucial) layer of security
- Use a reliable mobile security solution; ESET products detect these credential stealers as Android/FakeApp.GV
The importance of using 2FA cannot be overstated. In this scam, that clearly protected users, and you should always use the feature if available. Note, Two-Step Verification (2SV) is not as secure as 2FA because 2SV checks can be cleared either by SMS message or email; if the 2SV was configured to the same Gmail account that was also hijacked, then the criminals could also defeat the check.
Which brings up two other good security practices: do not reuse passwords, and do not reuse email addresses.