Cyber-criminals took advantage of popular cryptocurrency exchange Poloniex's lack of an official app to dupe unsuspecting users into downloading credential stealing malware.
ESET security researchers discovered variations of the phony app in the Google Play store on two separate occasions, the first published under the developer name “Poloniex” and was downloaded up to 5,000 times between 28 August 2017, and 19 September 2017, despite having bad reviews, according to a 23 October blog post.
A second app named, “POLONIEX EXCHANGE” using the developer name “POLONIEX COMPANY” was spotted on 15 October 2017, and was downloaded by up to 500 users.
The phony app sought to harvest Poloniex login credentials as well as to trick victims into making their Gmail accounts accessible to the malicious app allowing them to control notifications to the user about unauthorised logins and transactions. Once exploited, the app attempts to appear functional by redirecting users to the mobile version of the legitimate Poloniex website.
“If you're a Poloniex user and have installed any of these malicious apps on your device, start by uninstalling them,” researchers said in the post. “Make sure to change both your Poloniex and Gmail passwords and consider enabling 2-factor-authentication for both services.”
Both Google and Poloniex have been notified of the malicious imposters. To prevent similar attacks, researchers recommend users always check to ensure companies actually offer mobile apps before downloading, pay attention to app ratings and reviews, and be cautious of third party apps triggering alerts and windows appearing to be connected to Google.