App company that mined Dogecoins behind your back receives FTC penalty

library
crime | hacking | security

It was almost funny – nearly, but not quite.

Until the FTC decided that it very definitely wasn’t.

The FTC, of course, is the Federal Trade Commission, the consumer watchdog in the United States that takes action against dodgy business behaviour.

Unsurprisingly, the FTC is increasingly standing up against digital rip-offs, as well as old-school shysters.

In this case, announced at the end of June 2015, the FTC has slapped a $50,000 penalty on a company called Equiiv over its mobile phone app, Prized.

Prizes that weren’t

It turned out that the “prizes” you were supposed to be able to win by running the app and playing games or other online activities didn’t go to you.

The app was actually just a cover for cryptocurrency mining, essentially co-opting people who downloaded it into a mobile botnet of coin-mining.

Cryptocurrencies, as they are called, of which the best-known is Bitcoin, are essentially digital protocols that let you convert a bunch of heavy calculations into unique digital assets.

You can then trade these digital coins, as the metaphor calls them, with other people, in exchange for whatever you can agree upon.

Unlike formal currencies such as the US Dollar or the Pound Sterling, there is no central authority that regulates the creation of cryptocurrencies.

You “mint” new “coins” not by striking metal pieces into special dies under heavy security, but by performing time-consuming cryptographic calculations.

The idea is that most of these calculations are worthless, but occasionally you’ll hit the jackpot, and produce an output that happens to represent currency.

Then you can claim it, as long as no one else has claimed that particular cryptocoin before.

→ The way crypto-mining calculation lotteries works is that you have to find an input value that, when run through a cryptographic hash, produces an output with a particular pattern of bits. Typically, this means that the first howevermany bits must be zero. Because cryptographic hashes are designed so you can’t go backwards from the hash to the input, there is no shortcut that can find winning answers. You just have to keep trying input after input until you get lucky.

There are several problems with a mobile app that performs cryptocurrency mining without telling your users:

It’s dishonest to offer prizes to your users but take them yourself.
Coin mining involves a lot of computation, so it ruins battery life.
Mobile phones aren’t designed for coin mining, which makes them run hot.
Undisclosed “features” of this sort in software are not acceptable to consumers.

Thus, the FTC’s involvement.

As Acting New Jersey Attorney General John J. Hoffman said in the FTC’s report on this matter:

Consumers downloaded this app thinking that at the very worst it would not be as useful or entertaining as advertised. Instead, the app allegedly turned out to be a Trojan horse for intrusive, invasive malware that was potentially damaging to expensive smartphones and other mobile devices.

Equiiv and Ryan Ramminger, one of its directors, settled with the FTC’s complaint by agreeing to the following conditions:

Don’t do it again.
Destroy all customer information obtained in marketing and supplying the app.
Pay $5,200 to the State of New Jersey.
Keep to all the previous conditions, or go on the hook to pay $44,800 more.

We particularly like the second condition.

This ought to make it more difficult for Equiiv or Ramminger to resurface in new clothes and get back into pestering the very people they’ve already wronged with the app.

We also like that the FTC hasn’t “done a Google” and minced its words in describing this treacherous app – which, incidentally, was approved by Google and allowed into the Play Store.

Google recently went through the perplexing step of trying to claim that Android was malware-free by definition, stating that what you and I call malware should more soothingly be referred to as a Potentially Harmful App (PHA).

As you read above, the FTC is having none of that PHA double-speak: the Prized app, stated the FTC in perfectly plain words, is intrusive, invasive malware.

Listen to Sophos experts discuss Google’s approach to Android malware [starts at 3’36”]

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Almost funny?

Oh, one more thing.

We said at the start that this story – a story that involves trying to profit from malware – was almost funny.

We’d better explain ourselves.

The most popular cryptocurrency is Bitcoin, but the calculations needed to get any bitcoins as a reward are so onerous that even a fast laptop or desktop computer is almost useless these days.

You’ll never compete with the coin-mining collectives that use special rigs of graphics cards or dedicated hardware that is good at one thing: churning through those cryptographic hashes.

And as for using mobile phones to mine Bitcoin – fergeddit!

For that reason, Equiiv’s Prized app steered clear of the Bitcoin ecosystem and went for what you might call alternative alternative currencies, such as Dogecoin, Litecoin and Quark.

Those cryptocoins are easier and faster to mine, although as a result they’re not worth nearly as much as bitcoins.

And the funny thing – OK, perhaps it was funny at the time – is that Dogecoin was originally conceived as a bit of fun itself.

“Doge” is hacker-spelling for “dog,” in the same way that hackers like to write “teh” instead of “the,” and “pwn” your computer when they own it.

Doge, indeed, is part of an internet meme involving cute images of a Shiba Inu dog, featured as the Dogecoin mascot.