Two credential stealing apps disguised as legitimate Poloniex mobile apps, have been discovered on Google (TIKER: GOOGL.NASDAQ) Play, Welivesecurity reported.
Apart from harvesting popular cryptocurrency exchange Poloniex login credentials, the fake apps also try to trick victims into making their Gmail accounts accessible to the attackers.
The first of the malicious apps sneaked into Google Play using the name “POLONIEX”, published under the developer name “Poloniex”. Between August 28, 2017 and September 19, 2017, the app was installed by up to 5000 users, even despite mixed ratings and bad reviews.
The second app, “POLONIEX EXCHANGE” with the developer name “POLONIEX COMPANY”, appeared on Google Play on October 15, 2017 and reached up to 500 installs before being removed from the store upon ESET’s notification to Google Play.
To successfully take over a Poloniex account using one of the malicious apps, the attackers first need to obtain credentials for the account. Afterwards, they need to gain access to the email account associated with the compromised Poloniex account to control notifications about unauthorized logins and transactions.
Finally, the attackers need to make their app appear functional so as to lower any suspicion they might have raised in the process.
Both apps use the same method to achieve this. The credential stealing takes place right after the user launches one of the apps.