On October 23, 2017, IT security company ESET published a blog post describing how fake Poloniex mobile apps listed on Google Play (the app store for the Android operating system) are duping unsuspecting users of the cryptocurrency exchange. The apps reportedly harvest login credentials for Poloniex and attempt to compromise the Gmail accounts of victims to bypass two-factor authentication (2FA).
Poloniex does not have an official mobile app. It is unclear exactly how many users have been compromised as a result of these phishing attempts, and it’s not immediately apparent how much cryptocurrency might have been stolen.
So far, two malicious Poloniex apps have been discovered, according to Lukas Stefanko, a malware analyst at ESET.
The first fraudulent app was posted as “POLONIEX” with the developer listed as “Poloniex.” It received as many as 5,000 installations. The second app was posted as “POLONIEX EXCHANGE” and the developer was listed as “POLONIEX COMPANY.” It received as many as 500 installations before being removed when ESET notified Google Play.
A third fraudulent application might have been posted. “Poloniex – Bitcoin/Digital Asset Exchange,” offered by “MIT Service” was updated on October 18, 2017, and has received between 1,000 and 5,000 installations. There is no reason to believe that Massachusetts Institute of Technology is affiliated in any way. One indication of the app’s questionable authenticity is the polarized concentration of one-star and five-star reviews.
ESET closed its warning with guidelines for users to protect themselves from fraud:
- Make sure the service you’re using really offers a mobile app – if that’s the case, the app should be linked on the service’s official website
- Pay attention to app ratings and reviews
- Be cautious of third party apps triggering alerts and windows appearing to be connected to Google – misusing users’ trust towards Google is a popular trick among cybercriminals
- Use 2FA for an additional (and often crucial) layer of security
- Use a reliable mobile security solution; ESET products detect these credential stealers as Android/FakeApp.GV