Security

Cyber-crime

Beware cool-looking beta crypto-apps. They may be money-stealing fakes

Try out a hot new thing before official launch? Something smells phishy


The FBI has warned of a scam in which criminals lure people into installing what they think are pre-release beta-grade phone apps to try out – only for the software to be laced with malware.

That malicious code may steal data from devices, access and drain online financial accounts, or completely hijack the handhelds.

By dressing up these apps as beta tests, crooks can persuade curious netizens to download and install them from outside the normal app stores, bypassing whatever passes as a review process these days. The fraudsters make sure the applications look as legit as possible, we're told, using names, images, and designs found in official apps.

The Feds says they're aware of "unidentified cyber criminals" luring marks with phishing emails or romance scams; the end result being the scammers build up a level of trust – even fake relationships – with their victims to the point where those folks are tricked into downloading and installing malicious apps.

That process may well involve walking the victim through effectively jail-breaking their device, or making changes to their settings to install apps outside of the operating system's official software store, judging from the FBI's description of the scam. The Feds talk of people being lured into downloading "a mobile beta-testing app housed within a mobile beta-testing app environment."

Unsurprisingly, these bogus apps tend to be those of cryptocurrency exchanges, with promises of fat returns on investment. The victims are fooled into entering their online financial account information into the application, believing those details will be used to transfer and invest their money, but instead the funds are sent to criminal-controlled wallets.

It's essentially a fresh twist on so-called pig-butchering scams, which the FBI has been warning about for a couple of years and are costing victims hundreds of millions of dollars.

In today's alert, the FBI also suggested some red flags that may indicate you've unknowingly downloaded a malicious app.

These include the battery draining faster than usual, or the device taking a really long time to process requests. Folks should also be on alert for unauthorized apps appearing on their phones, apps that request access to permissions that have nothing to do with their functionality, and persistent pop-up ads. 

It says something about the mobile software ecosystem when the above red flags could apply to real legit applications.

Additionally, apps that boast a ton of downloads but have no or very few reviews, and those with spelling or grammatical errors or a lack of details in the description are highly suspect, the agents said. Download at your own risk — or, better yet, just don't download them at all.

And, as always, check the developers' info and customer reviews before downloading any app to your mobile device, and do not provide personal or financial information to someone you've only met online. If someone promises you something from basically nothing, it probably is too good to be true.

Banks, healthcare offices, and other legit organizations also aren't going to ask you to provide personal, financial, or health-related information in an email – if they do, tell them that's unacceptable – and warnings out of the blue along the lines of "do X or your account will be closed" are likely fake. Double check with the source.

Other advice to live by: don't trust links in emails or text messages, and scan attachments before opening them. Keep your software up to date, and restrict app permissions, and uninstall ones that you don't use. Feel free to share more tips in the comments section. This isn't an exhaustive list, though it does feel a little "to be safe on the internet, don't do anything. At all."

Which we know isn't entirely helpful.

Here's hoping this heads-up will help you avoid becoming one of the hundreds of thousands of victims who lost more than $10.2 billion [PDF] to cybercriminals last year alone, though. ®

Send us news
7 Comments

First LockBit, now BreachForums: Are cops winning the war or just a few battles?

TLDR: Peace in our time is really really hard

'Cyberattack' shutters Christie's website days before $840M art mega-auction

Going once, going twice, going offline

Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware

Spoiler alert: it's not really IT support controlling your device

Aussie cops probe MediSecure's 'large-scale ransomware data breach'

Throw another healthcare biz on the barby, mate

Crook brags about US Army and $75B defense biz pwnage

More government data allegedly stolen by prolific criminals

FCC names and shames Royal Tiger AI robocall crew

Agency is on the lookout for a Prince among men

Ransomware negotiator weighs in on the extortion payment debate with El Reg

As gang tactics get nastier while attacks hit all-time highs

America's enemies targeting US critical infrastructure should be 'wake-up call'

Having China, Russia, and Iran routinely rummaging around is cause for concern, says ex-NSA man

Microsoft's Brad Smith summoned by Homeland Security committee over 'cascade' of infosec failures

Major intrusions by both China and Russia leave a lot to be answered for

Three cuffed for 'helping North Koreans' secure remote IT jobs in America

Your local nail tech could be a secret agent for Kim’s cunning plan

68 tech names sign CISA's secure-by-design pledge

Security's an uphill battle ... does this latest move have teeth?

Microsoft fixes a bug abused in QakBot attacks plus a second under exploit

Plus: Google Chrome, Apple bugs also exploited in the wild