Threat Guidances
Crimeware
Android
Lookout
Malware
July 6, 2021

BitScam & CloudScam: Crypto Scamming Apps

How Lookout Detects and Protects

Cybercriminals will oftentimes try to use legitimate capabilities to obfuscate malicious activity. The true intentions of an app are oftentimes hidden in the data access permissions and behaviors, and even then, can be difficult to uncover without the right tools. Static and dynamic analysis of the industry’s largest mobile dataset enables Lookout researchers to protect customers by continuously discovering and researching new threats. Devices with Lookout installed can detect and be alerted to these two families as well as any other apps with risky functionality built in.

To learn more about the technical specifications of this campaign, including IOCs, read the full article here.

Key Findings

  • These families enable threat actors to use legitimate functionality to carry out scams
  • The apps that were on the Play Store have been removed, but hundreds more still exist on third-party app stores.
  • Indicators of Compromise (IoCs) for both families are available here.

Background and Discovery

Researchers at Lookout have discovered almost 200 Android apps, including 25 on the Play Store, scamming cryptocurrency investors out of money. The apps advertise that they provide crypto mining services for a fee, but upon further analysis Lookout researchers discovered no mining takes place and these services are never delivered.

Capabilities and Affected Parties

BitScam and CloudScam, which are the two families behind the discovered apps, are able to fly under the radar because they don’t actually execute any malicious code. By using legitimate payment processes, the families enable these apps to collect money for services that don’t exist. Even though the apps that were found on the Play Store have been removed, the others are still circulating on third-party app stores. In addition, while BitScam and CloudScam have now been exposed, threat actors could continue to build apps with these families and create evolved versions to try to elude security tools.

Authors

Lookout

Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Entry Type
Threat Guidances
Threat Type
Crimeware
Platform(s) Affected
Android
Discovered By
Lookout
Threat Type
Malware
Platform(s) Affected
Threat Guidances
Crimeware
Android
Lookout
Malware

Related Content

BancaMarStealer

A customizable Malware-as-a-Service banking trojan delivered through any app with messaging capabilities.

Read Threat Article

Lookout Phishing AI Discovers Campaign Targeting Verizon Employees

Phishing AI discovered this campaign targeting Verizon employees on mobile devices.

Read Threat Article

Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy

Researchers at the Lookout Threat Lab have discovered a new Android surveillance tied to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell