A recent blog post published by Lukas Stefanko, a malware analyst at IT security firm ESET, points out that on Google’s Play store – the most popular Android operating system app store – two fake Poloniex mobile apps were listed, and managed to get thousands of users to install them before being removed.
The apps reportedly harvested Poloniex users’ login credentials, and them attempted to compromise their Gmail accounts to delete security emails and bypass two-factor authentication (2FA) methods. Poloniex, one of the world’s leading cryptocurrency exchanges, does not have an official mobile app, but has an optimized mobile website – and fraudsters took advantage of it.
ESET found two malicious apps that were removed by Google, but a third one might still be available on the Google Play store. How many users were tricked, and how much cryptocurrency was stolen, is unknown.
One of the malicious apps found on the Android app store was named “POLONIEX” and was published by a developer named “Poloniex.” It was active for about a month and managed to get up to 5,000 users to install it, despite polarized reviews. The second one, “POLONIEX EXCHANGE” published by developer “POLONIEX COMPANY” got as many as 500 downloads before Google removed it.
— Lukas Stefanko (@LukasStefanko) 23 October 2017
These two apps essentially displayed a fake Poloniex page asking the user to login. Once users entered their credentials, these were sent to the attackers. If the trader didn’t have 2FA enabled, attackers had access to the account at this point, and could either withdraw everything, or lock the trader out by changing the password.
Then, a bogus Google prompt would be shown, asking users to sign in to their Google account as a “two-step security check.” Once users clicked “Sign in” they would be asked to give the app permission to access email messages and settings, so that the fraudsters were now be able to delete security emails.
After stealing user credentials, all the app did was take users to Poloniex’s legitimate mobile website. Users who enabled 2FA were safe, as the attackers couldn’t access people’s SMS messages or Google Authenticator app.
Third malicious Poloniex app out there?
At press time, a third seemingly fraudulent application is available for download on Google’s Play store. It’s named “Poloniex – Bitcoin/Digital Asset Exchange,” and it’s published by a developer going by “MIT Service.” It was recently updated and has between 1,000 and 5,000 installations.
There’s no reason to believe that the Massachusetts Institute of Technology created a Poloniex app or is affiliated with the situation in any way. The app has a polarized concentration of one-star and five-star reviews, pointing to a possible scam. Moreover, the developer has other apps, including one for Bittrex exchange, with one-star reviews – another red flag.
At the end of ESET’s blog post, the firm gives users advice on staying safe. To do so, it is advised that they use 2FA, a reliable security solution, pay attention to app ratings and reviews, and make sure services do offer mobile apps.