Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Fake Cryptocurrency Apps Steal User Data

Poloniex is the largest exchange service in the world with over a hundred types of cryptocurrencies available for trading/buying however, they have been gaining a bad reputation rather quickly.

In August 2017, a security researcher was able to bypass Poloniex’s 2FA (two-factor authentication) by finding a Reddit thread dubbed “Poloniex2FASucks.” The researcher sold the vulnerability 60 days after the informing the company about the vulnerability and receiving no response.

According to a different security researcher, “Poloniex users are being targeted by two fake credit stealing applications that appear to be legitimate Poloniex Androidapps.” The apps are available on legitimate platforms such as Google Play Store. The apps are capable of stealing victims’ login credentials and can gain access to the victims’ Gmail accounts giving the attackers control.

It is worth noting that Poloniex does not have an official mobile app released yet. The first app is called “POLONIEX” which is published by a developer named Poloniex. The app is available on the Google Play Store and was downloaded more than 5,000 times during this past September. The other app is called “POLONOEX EXCHANGE” and was uploaded to the Google Play Store on October 15, 2017 with 500 downloads.

Both apps have been removed from the Google Play Store.

The two apps use the same attack method which asks for login credentials as soon as the app is launched. The method is successful if the victim has not enabled 2FA on the Poloniex account.

The attackers will then go after the Gmail account. The victim will be sent a message that appears to be from Google, which asks the user to enter their login credentials to complete a two-step security check. Once the user clicks sign in, the app will request permission for accessing the email messages and settings as well as to explore the basic profile. If the permission is granted, the app successfully accesses the inbox. Once accessed, the attackers will make transactions through the account while removing all indications of unauthorized access and transactions from the inbox.

Users are highly advised to change their passwords as soon as possible and to remove the apps from their device.