PayPal And Bitcoin Scamming Fake Android Apps Discovered On Google Play Store

A PayPal credential stealing fake Android app, masquerading as a service to generate money from watching in-app YouTube videos, has been discovered by cyber security researchers from ESET.

Boost Views on the Google Play store was found to have the Tojan.Android/FakeApp.FK malware and under the guise of providing users with real money in return for views on YouTube, scams users to part with their PayPal details.

Fake Android app Boost Views

Boost Views attracts in Android users by promising to gnerate erning for them if they watch YouTube videos within the app, at the same time they can also buy credits for real-money in exchange for YouTube views, thus building the apps deceptive nature.

Having generated $0.09 in 16 hours of automatic video playing and having seen no mention of a minimum payout threshold, we tried to withdraw the earned amount.

ESET’s researchers noted that there appeared to be no minimum payout threshold for the views, and so they attempted to withdraw the money they earned while investigating the app, where they discovered the crux of the scam.

“In order to withdraw money, PayPal credentials must first be entered into an insecure login form for “authentication”. Once victims enter their credentials, they are confronted with an “invalid login” error message and their PayPal credentials are sent unencrypted to developer’s server,” they said.

“With PayPal account compromised, the victims’ PayPal and/or credit card balance are open for misuse.”

While the researchers said that PayPal has so far not reported any suspicious activity on the account they have used to test Boot Views, it still offers little comfort for users who have had their PayPal details compromised.

PaxVendor

The researchers also uncovered another trojan lurking in PaxVendor, a malicious Android app that goes after the Bitcoins of the users of legitimate Bitcoin trading marketplace Paxful.

Through the use of a bogus login screen, PaxVendor looks to harvest users’ Paxful login details while offering no real functionality in return by generating a error noting the users’ that it cannot access their Paxful account, while sending the login credentials to a server used by the scammer.

The researchers noted that someone signed into their account from the Ukraine shortly after they entered their Paxful credentials into PaxVendor.

The malicious app has been pulled by Google from the Play store, but the ESET researchers noted that 500 installs have been made before PaxVendor was shutdown.

Both examples of fake Android apps indicate the need for users to be extra vigilant for app scams pretending to offer a money-making service in return for very little, and indicate the continued rise of sophisticated scamming malware as vectors for cyber attacks.

What do you know about the mobile app revolution?Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago