25 bogus Google Play store apps promised to mine cryptocurrency for a fee, scamming wannabe investors

Lookout estimates that the apps have scammed more than 93,000 victims out of $350,000.
(Photo by NHAC NGUYEN/AFP via Getty Images)

Scammers are pushing fake cryptomining apps in order to make a buck off of victims interested in virtual currency.

Security researchers at Lookout identified more than 170 apps that advertise themselves as providing cryptocurrency-mining services on the cloud for a fee. Unlike other popular cryptocurrency scams on mobile, the criminals aren’t seeking to empty a user’s wallet or download malicious software. Instead, the apps simply charge users for a service that doesn’t exist.

Similar scams have existed in desktop form for a while, but this is the first time researchers have noticed apps designed to conduct such a fraud.

“The apps themselves are really essentially empty shells with what look like purchasing functionalities,” said Christoph Hebeisen, director of security intelligence research at Lookout. “There is no way to tell if there is actually mining going on in the background or not because that happens on the cloud side, that doesn’t happen in the actual app.”


While some of the apps allowed payments via bitcoin, a violation of Google Play store’s terms of service, most weren’t actually breaking any rules.

“They use all of those legitimate functionalities to run while trying to scam people out of money,” he said.

Lookout estimates that the apps have scammed more than 93,000 victims out of more than $350,000.  The apps fell into two different families of code and Hebeisen says he suspects more scammers will catch on to their playbook.

Only 25 of the mining scam apps identified by researchers were available for download on Google Play. The vast majority had to be sideloaded from a non-trusted source.

The apps themselves wouldn’t have set off any red flags since their contents were innocuous. Still, the fact that they managed to get onto a legitimate platform like Google Play shows that users seeking cryptocurrency services online need to be extra vigilant about which developers they’re trusting.


Google has removed the 25 apps flagged by Lookout. Lookout is a participant in Google’s App Defense Alliance, a consortium of mobile security research partners that work with Google Play.

The research is just the latest insight into how scammers are taking advantage of cryptocurrency’s popularity to swindle victims online.

The Federal Trade Commission reported a record year for the number of cryptocurrency-related scams in May. Nearly 7,000 individuals reported losses of more than $80 million from October through March. The majority of the scams snagged victims via social media where crooks posed as verified accounts like Elon Musk to stage fake giveaways offering to grow a victim’s cryptocurrency entry.

Scammers have also exploited legitimate app stores like the Apple’s App store and Google Play store to offer fake cryptocurrency wallets that have swindled victims out of millions in virtual currency. App stores represent a valuable avenue for scammers by allowing them to bypass traditional methods of targeting victims with phishing campaigns, says Hebeisen.

Hebeisen says that researchers could be looking at the start of a trend in which actors seek to rip off money without doing anything directly malicious with their apps.


“I think with malware authors, it’s always going to be a cat and mouse game. And we have to learn about their tactics as we go along,” he says. “And I think this is one of those steps where that happens, we see a new tactic on their side. And now the anti-malware world is going to adapt and learn something new.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts