Beware malware posing as beta versions of legitimate apps, warns FBI

The FBI has issued a warning that cybercriminals are embedding malicious code in mobile beta-testing apps in attempts to defraud potential victims. The victims are typically contacted on dating sites and social media, and in some cases they are promised incentives such as large financial payouts.

Beta-testing apps are new versions of software that are undergoing their final tests and aren’t quite ready to be officially released. In the legitimate software ecosystem, beta testing gives users a chance to improve their favorite apps and get early access to new features. For criminals, “beta-testing” apps offer a plausible reason for vicitms to donwload software from unsafe places, away from the usual app stores, without raising their suspicions.

To make the apps look legitimate the criminals use familiar looking names, images, or descriptions that are similar to popular apps. Embedded in the apps  is malicious code used to defraud the victim or compromise the device. According to the FBI:

“The malicious apps enable theft of personally identifiable information (PII), financial account access, or device takeover.”

The agency says it’s aware of fraud schemes where the victims are contacted and directed to download mobile beta-testing apps, such as cryptocurrency exchanges, that steal money instead of investing it.

In an earlier warning the FBI focused on scammers that haunt forums and comments sections, looking for victims who have lost cryptocurrency to fraud, scams, and theft. The scammers claim to provide cryptocurrency tracing and promise to recover lost funds.

Glad I was able to recover my funds from these fake brokers. I would have had to file for bankruptcy, thanks to [redacted] I was able to get a hold of these scam brokers and take back my money. I would gladly refer anyone.

Example of an (intercepted) attempt to post recovery a advertisement in our blog comments

These recovery scheme fraudsters will charge an up-front fee and either cease communication after receiving the initial deposit, or they will produce an incomplete or inaccurate tracing report and claim they need additional fees to recover the funds.

The fraudsters will even go as far as to claim they are affiliated with law enforcement or legal services to appear legitimate. It is important to realize that private sector recovery companies cannot issue seizure orders to recover cryptocurrency.

Stay safe

Beta-testing can be fun and rewarding, but check that you are testing the app from a legitimate source and trusted developer. For example, Malwarebytes offers their beta downloads on their own forums.

Do not send payment to someone you have only spoken to online, even if you believe you have established a relationship with them. Scammers specialize in making you think that.

Do not provide personal or financial information in email or messages, and do not respond to email or message solicitations, including links.

Do not download or use suspicious looking apps as a tool for investing unless you can verify the legitimacy of the app.

Shy away from advertisements for cryptocurrency recovery services. Research the advertised company and beware if the company uses vague language, has a minimal online presence, and makes promises regarding an ability to recover funds. Do not make things even worse.

Law enforcement does not charge victims a fee for investigating crimes. If someone claims an affiliation with the FBI, contact your local FBI field office to confirm.

As the FBI pointed out:

“Cryptocurrency exchanges only freeze accounts based on internal processes or in response to legal process.”


We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

https://blog.malwarebytes.com/feed/