Malicious app hijacks Android phones to mine cryptocurrency... and gets slammed by the FTC

PrizedThe Federal Trade Commission (FTC) along with the New Jersey Attorney General have settled charges with a developer who created a mobile "rewards" app that in actuality hijacked users' phones in order to mine cryptocurrencies.

According to a complaint filed by the United States District Court for the District of New Jersey, Ryan Ramminger, the CEO of Equiliv Investments, created an Android app called "Prized" that offered points to those who downloaded the app and who then either played games or installed other affiliate applications.

Users could ultimately redeem these points for "prizes," such as clothes, accessories, and gift cards.

how-it-works

However, upon downloading the app, consumers unknowingly installed malicious software that took control of the computing resources of their mobile devices in order to mine for various cryptocurrencies, including Bitcoins, Dogecoins, and Litecoins.

Neither Ramminger nor his company informed users of the true intent of the app. In fact, the terms of use for "Prized" specifically stated that any generated code would "be free of malware, spyware, time bombs, and viruses."

This misrepresentation led to thousands of downloads from the Google Play Store, the Amazon App Store, and additional mobile marketplaces. Once activated, the app drained users' device batteries and consumed their mobile data, which might have caused some victims to incur fees if they went over their monthly data limits.

"Consumers downloaded this app thinking that at the very worst it would not be as useful or entertaining as advertised," said Acting New Jersey Attorney General John J. Hoffman in a statement released by the FTC. "Instead, the app allegedly turned out to be a Trojan horse for intrusive, invasive malware that was potentially damaging to expensive smartphones and other mobile devices."

CryptocurrenciesAs part of the settlement, Ramminger and his company have agreed to never produce any mobile apps that, among other things, exchange cryptocurrencies or seize computing resources without a user's prior authorization.

They also will be required to pay $5,200 as long as they comply with the judgment. If they don't, an additional fine of $44,800 will be demanded of Ramminger and Equiliv in the future.

According to Helen Wong, an attorney with the FTC’s Division of Financial Practices, this is the first instance in which the FTC has gone after malicious activity originating in a mobile app.

Given its novelty, I hope this case sets an example.

Apps like "Prized" are dangerous not only because they misrepresent themselves to consumers but also because they cost users' time, resources, and money. These types of applications do not belong in our app stores, and it would appear the FTC agrees.

Let's therefore call this story for what it is: a warning.

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

3 Responses

  1. David L

    July 1, 2015 at 3:50 pm #

    What !!!! No jail time! And where in the *#@$ was Google? They are supposed to be reviewing apps these days, WITH REAL PEOPLE ! In addition to bouncer and other code review mechanisms. I'm going to pass this along to a few of the Android websites,like Android Police,and Android Central. A little Google shaming is needed here.

    • Coyote in reply to David L.

      July 1, 2015 at 10:31 pm #

      Google has little to do with this. See that it also was downloaded elsewhere. Yet Google doesn't care anyway, and I think you know this. Google knows what is best which is what they want to do, even things that are not at all a good idea. Google is incredibly thick and while I won't claim every staff member is arrogant, on a whole the company is quite arrogant about many things. In other words, Google really couldn't care less here. Actually, I would be surprised if they cared at all about these things (besides how the public views them and even that is only if it doesn't go too far against their views).

      But putting my distaste for Google aside, there is one other thing to consider. They aren't exactly known for taking care of malicious software. I mean in particular their record for dealing with malicious software is quite bad. Keep in mind the case where Android security (a specific person involved with it, don't remember his name or his actual position but I think it was at the top) claimed they didn't need antivirus software (ironically they had at least one fake AV in their store, probably far more malware than any thing related to anti-malware). I know this was on the feed of this site at one point (but I think it was at a third party site.. I want to say hotforsecurity.com but I'm not positive of that).

  2. Coyote

    July 1, 2015 at 10:40 pm #

    Now I'm curious about this part:

    "Neither Ramminger nor his company informed users of the true intent of the app. In fact, the terms of use for "Prized" specifically stated that any generated code would "be free of malware, spyware, time bombs, and viruses.""

    Firstly, I would think of spyware and viruses as part of malware. But I'll leave the redundancy alone (redundancy can be a good thing when used in the correct way although I'm not sure it is necessary here). What I genuinely wonder is the following: time bomb. I can only think of logic bombs given a common example is activation at a specific time and/or date (e.g. the payload of CIH which coincidentally triggered on the anniversary of the Chernobyl disaster, hence the other name given to it). Is that what they refer to or is it something else ?

Leave a Reply