PayPal And Bitcoin Scamming Fake Android Apps Discovered On Google Play Store

A PayPal credential stealing fake Android app, masquerading as a service to generate money from watching in-app YouTube videos, has been discovered by cyber security researchers from ESET.

Boost Views on the Google Play store was found to have the Tojan.Android/FakeApp.FK malware and under the guise of providing users with real money in return for views on YouTube, scams users to part with their PayPal details.

Fake Android app Boost Views

Boost Views attracts in Android users by promising to gnerate erning for them if they watch YouTube videos within the app, at the same time they can also buy credits for real-money in exchange for YouTube views, thus building the apps deceptive nature.

Having generated $0.09 in 16 hours of automatic video playing and having seen no mention of a minimum payout threshold, we tried to withdraw the earned amount.

ESET’s researchers noted that there appeared to be no minimum payout threshold for the views, and so they attempted to withdraw the money they earned while investigating the app, where they discovered the crux of the scam.

“In order to withdraw money, PayPal credentials must first be entered into an insecure login form for “authentication”. Once victims enter their credentials, they are confronted with an “invalid login” error message and their PayPal credentials are sent unencrypted to developer’s server,” they said.

“With PayPal account compromised, the victims’ PayPal and/or credit card balance are open for misuse.”

While the researchers said that PayPal has so far not reported any suspicious activity on the account they have used to test Boot Views, it still offers little comfort for users who have had their PayPal details compromised.

PaxVendor

The researchers also uncovered another trojan lurking in PaxVendor, a malicious Android app that goes after the Bitcoins of the users of legitimate Bitcoin trading marketplace Paxful.

Through the use of a bogus login screen, PaxVendor looks to harvest users’ Paxful login details while offering no real functionality in return by generating a error noting the users’ that it cannot access their Paxful account, while sending the login credentials to a server used by the scammer.

The researchers noted that someone signed into their account from the Ukraine shortly after they entered their Paxful credentials into PaxVendor.

The malicious app has been pulled by Google from the Play store, but the ESET researchers noted that 500 installs have been made before PaxVendor was shutdown.

Both examples of fake Android apps indicate the need for users to be extra vigilant for app scams pretending to offer a money-making service in return for very little, and indicate the continued rise of sophisticated scamming malware as vectors for cyber attacks.

What do you know about the mobile app revolution?Try our quiz!