The open web can be a dangerous place for cryptocurrency users. Phishing, trojans, and social engineering all come with the territory, ensuring that even the savviest of bitcoin-holders must remain alert. Within the walled gardens of Apple and Google’s app stores, however, there’s an assumption that if a mobile app has been vetted and downloaded in the thousands, it must be safe. That assumption couldn’t be further from the truth, as scores of users have discovered to their peril.
Also read: Peer-to-Peer Bitcoiner Gets Year in Prison for Being Unlicensed
Fake Apps with Real Consequences
Neither the Google Play or App Store is immune from its share of fake, spammy, or fraudulent apps. But it is Android users who tend to suffer most at the hands of unscrupulous developers. One of the most egregious apps, which has hoodwinked thousands of users, is simply named Poloniex. Despite purporting to be the “Poloniex ® Offical App” [sic] of the popular cryptocurrency exchange, it is nothing of the sort. Its description boasts of such features as “Possible powerfull [sic] exchange BTC or altcoins.”
Seems legit. Isn’t legit.
For users only taking a cursory glance at the app before hitting “Download”, it is easy to be taken in by the familiar logo and screenshots from the trading platform. A close inspection reveals a string of typos, suggesting that all is not right, an assessment which is borne out by the app’s average rating of just one star, based on 162 reviews.
The average web user might think twice before clicking on a suspicious email link, but will scarcely scrutinize the top result that appears in an app store. Judging by the hundreds of disgruntled comments, the “Poloniex ® Offical App” does nothing more than steal users’ account credentials followed by their coins.
Who’s to Blame?
Screenshots of the fake app, complete with typos.
The Poloniex app is by no means the only fraudulent one of its kind – there are at least five apps bearing the Poloniex name on Google Play alone. One of the reasons why Poloniex has been so easy to impersonate is because the exchange lacks its own official mobile app. This leaves a void which scammers have been only too happy to fill. If Poloniex was to issue its own app, as most of its peers from Coinbase to Bitfinex have done, it would eliminate or hide most of the imitations in one fell swoop.
It would also help if Poloniex did more to distance itself from third-party apps; its Twitter account hasn’t passed comment on the matter since early 2016, and thousands of users have since been duped. The blame game doesn’t stop there though: Google Play also deserves criticism for not weeding out these apps and, to a lesser extent, users should be more alert to the signs that such apps are blatantly fake.
“Eternal vigilance is the price of liberty – power is ever stealing from the many to the few.” Those words were written by Wendell Phillips over a century ago, but they apply equally today. Scammers will try every possible attack vector to find a vulnerable target; there’s even been reports of fake telephone support purporting to be from Coinbase and Kraken. These hoaxes, which typically emanate from India, are merely an updated version of the Windows telephone support scam.
While the cryptocurrency space attracts its share of chancers, this problem is not isolated; over one million people downloaded a fake version of Whatsapp from the Google Play store, while Bankbot malware, which steals passwords and 2FA details, has been deleted twice by Google, only to show up again, most recently under the name of ‘Crypto currencies market prices’.
Stay Safe and Think Before You Click
Users seeking to install a mobile app for their preferred cryptocurrency exchange, ticker or wallet would be advised to click on links from the official exchange, ticker or wallet site rather than risk stumbling upon a fraudulent version within an app store. Even when clicking on legitimate links, however, it pays to be cautious.
One security company recently inspected the 90 most popular Android cryptocurrency apps, which have millions of downloads. Their findings? 94% used outdated encryption, 66% didn’t use encryption at all and 44% used hard-coded passwords stored in plain text.
While Apple’s ecosystem isn’t entirely squeaky clean, the bulk of the issues with fraudulent or poorly coded apps emanate from Android. Cryptocurrency holders who cherish their security may decide the safest bet is to reserve their trading for desktop and keep their cell phone for price checks.
Who do you think should bear the blame for users installing fraudulent apps? Let us know in the comments section below.
Images courtesy of Shutterstock.
Bitcoin is a decentralized digital currency that enables near-instant, low-cost payments to anyone, anywhere in the world. Bitcoin uses peer-to-peer technology to operate with no central authority: transaction management and money issuance are carried out collectively by the network. Read all about it at wiki.Bitcoin.com.