Google Removes Fake Cryptomining AppsResearchers Say Users Paid Fees for Fake Mining Services
Google has removed eight fake cryptomining mobile apps from its Play Store, but researchers at security firm Trend Micro have flagged 120 other apps on users' phones purporting to also be cryptomining. Users of the eight apps paid for cryptomining services that were never delivered, the researchers say.
Each of the de-listed apps on Play Store required user fees - including several apps that charged for initial download along with monthly subscriptions. Some offered in-app purchases portrayed as improving services.
Some of the apps that were taken down flooded users with in-app advertising and urged crypto enthusiasts to personally market the apps, the security firm says.
Apps flagged by the researchers "affected 4,500 users globally" between July 2020 and July 2021, according to Trend Micro's Mobile App Reputation Service.
The security firm says some users paid recurring subscription fees that averaged $15 per month, along with other miscellaneous charges of about $200 per transaction that promised increased mining capabilities.
Google did not immediately reply to a request for comment.
Crypto App Nuances
De-listed apps include:
- BitFunds - Crypto Cloud Mining;
- Bitcoin Miner - Cloud Mining;
- Bitcoin (BTC) - Pool Mining Cloud Wallet;
- Crypto Holic - Bitcoin Cloud Mining;
- Daily Bitcoin Rewards - Cloud Based Mining System;
- Bitcoin 2021;
- MineBit Pro - Crypto Cloud Mining and btc miner;
- Ethereum (ETH) - Pool Mining Cloud;
"The fake mining activity on the apps' user interface is carried out via a local mining simulation module that includes a counter and some random functions," Trend Micro researchers say. "Some of these apps prompt users to pay for increased cryptocurrency-mining capabilities via in-app billing systems that range from $14.99 to as high as $189.99."
The Daily Bitcoin Rewards - Cloud Based Mining System app also prompted users to "upgrade" their mining capacity by "buying their favorite mining machines" to earn coins faster, Trend Micro says.
Trend Micro says deceptive cryptomining apps can be detected by tracking user reviews, testing the system with an invalid cryptocurrency wallet address and confirming if there are associated handling fees, because free services "are very suspicious."
YouTube's MFA Requirement
Elsewhere at Google, the company now says YouTube's Partner Program - which allows content creators to monetize their videos and share advertising revenue - will be locked to creators that do not enable two-step verification by Nov. 1. This applies to the content creators and "anyone with any level of access to the channel," Google says.
"Google's decision to require two-step verification for creators in its YouTube Partner Program is a welcome security advancement," says Neil Jones, a cybersecurity evangelist focused on governance, mobile app security and other areas.
"Bigger-picture, more and more providers will implement multifactor authentication requirements, as recent studies show that approximately three out of five data breaches originate from compromised credentials," says Jones, who is a senior governance manager with the security firm Egnyte. "It's especially reassuring to see that Google is considering the security implications of account logins across its platform."
The YouTube update follows a May announcement in which Google indicated that it would soon be auto-enrolling Gmail and Google Account users into multifactor authentication/two-step verification.