Two malicious apps have spread throughout Polish military units. They are likely pyramid schemes, but worse still, both contain malware. One steals data, while the other transmits location information.
It all started with the CoinPlex app, which I discovered through a friend who wanted to know if investing through it was safe. Investing involved depositing a USDT or USDC stablecoin, clicking a button in the app three times a day, and watching as an “AI bot” collected money from the market and paid the user a 1.8% daily return. The profit was added to the account, and another 1.8% was added to the total amount, and so on, day after day.
Compound interest is at work here. Invested capital doubles after a month or so, and after 365 days, 200 złoty invested becomes 134,000 złoty. A 67,188% annual return. Furthermore, the program also rewards those who recruit new users.
Advertisement See also: Awaken your inner stock market bull! With us, it costs nothing to go overboard.
CoinPlex deserves a small bonus for honestly admitting to users that it may not be around forever. It cautions that the cryptocurrency market may experience turbulences to which it will not be immune. According to our information, Polish promoters of the app advised users to withdraw their deposits for safety reasons once their capital doubles. However, greed plays a role here. After cutting off the 200 PLN dividend early on, after a year, you'll earn PLN 67,000 instead of PLN 134,000.
The incredibly high rate of return is accompanied by a full complement of warning signs: a lack of clear information about the founder or any CoinPlex employee, false information about cooperation with cryptocurrency exchanges Kraken and Binance, code pointing to a Chinese software house, and a lack of presence in the Google Play and Apple Store app stores. I described more details in the article: “They're dragging entire families into this.” Will this wonderful app turn out to be a pyramid scheme?
Soldiers invest
Our article about CoinPlex reported that the app had spread among a certain group of uniformed services. After the article was published, a concerned reader contacted me. According to him, an app similar to CoinPlex, TS-Vertex, promising huge profits thanks to an “AI bot,” had become very popular among soldiers in the West Pomeranian Voivodeship. The aforementioned group of uniformed services using CoinPlex also included soldiers.
A quick inspection confirmed that both apps share many common features. Lack of reliable information about the company and the people behind TS-Vertex, registration as a shady company, and a 2% daily interest rate. Here, too, you can significantly increase your profits by recruiting new users. And, like CoinPlex, TS-Vertex doesn't appear in official app stores.
The two differ in one crucial respect. TS-Vertex requires KYC verification. This means that to participate in earning, users must provide sensitive data and photos of a document proving their identity (a driver's license, ID card, or passport). When CoinPlex installed on a friend's phone, it sent a request during installation to download the user's profile from their iPhone.
One thing our reader noticed: Poland is the target of hybrid attacks by foreign countries, most often Russia. This led to a perhaps somewhat paranoid thought: what if TS-Vertex and CoinPlex are more than just pyramid schemes? Neither app is available in official software stores. Their code could contain anything. Furthermore, both have infected military units in various locations in Poland.
We began searching for an external expert to review both applications, but as it turned out, we found one in-house. After an initial software analysis conducted by Bankier.pl programmer Andrzej Buczyński, it turned out that our suspicions were correct. Let's hear from him:
Developer on CoinPlex and TS-Vertex Apps
“TS-Vertex has even been flagged by Google as containing malware. The version of this app I found online contains a Trojan, tentatively named “Sparkkitty” by researchers. It works by stealing all photos from the user's gallery and uploading them to servers controlled by the attacker.
The case of CoinPlex is somewhat more challenging due to its relative newness. For example, on the “VirusTotal” website, only 4 of 68 vendors reported detecting malware in this application. However, it can be stated with a high degree of certainty that this is not a false positive, but rather a genuinely new threat. This is indicated by the fact that the application code is additionally obfuscated to hinder analysis, and the application connects to the shady domain h5.coinplex.org, which uses commercial services to conceal its ownership. The only comment about it is written by a fake account created specifically for this purpose.
This app also has a certificate issued to a shoe store in the US, which also indicates its low credibility. However, I think the most obvious symptom is that the app collects user location information, which is unnecessary in a typical pyramid scheme, but highly dangerous for certain user groups. I don't know what other malicious behavior this app performs, as I haven't decompiled it, but I can assure you that it doesn't stop at location tracking, and it's definitely not behavior that would satisfy a potential user.
A number of soldiers' phones are infected with viruses. At best, the person behind the attack doesn't care what profession the users of the infected apps perform or whether they represent a significant social group for the Polish state. The Trojan installed on TS-Vertex uploads photos from the user's gallery to someone else's server. CoinPlex collects user location data and sends it to an unknown recipient.
The fact that both apps became popular at a similar time among soldiers in different military units may be a simple coincidence. In tight-knit groups, news spreads quickly. But is it worth optimistically hoping that this is a “best-case scenario”?
Without a paragraph
Using TS-Vertex and CoinPlex does not violate military regulations. Soldiers have the right to have any application on their private phones and use it during their free time. We contacted the Ministry of National Defense for more details regarding the use of electronic devices in military units.
“Soldiers' private phones cannot be used for official purposes. There are regulations regarding the protection of classified and official information, as well as a ban on the use of private cell phones within certain security zones within military units,” we learned from the Ministry of National Defense press office.
The Ministry emphasizes that guards are required to deposit personal telephones and electrical devices before leaving their posts. Soldiers participating in convoys are also prohibited from using personal phones. This is also not recommended for operations on Poland's eastern border.
When asked whether soldiers are being trained in cybersecurity or how to avoid investment fraud, the Ministry of National Defense (MON) replied that the Cyberspace Defense Forces Component Command (DKWOC) systematically sends messages, reports and warnings to soldiers and employees of the Ministry of National Defense, informing them about current threats in cyberspace and vulnerabilities in systems and software.
“Furthermore, training courses, conferences, and workshops in various areas related to cybersecurity are regularly held. Additionally, DKWOC maintains an e-learning platform used to raise awareness of cybersecurity among soldiers and RON employees,” the Ministry of National Defense told us.
Before publishing the article, we forwarded the report regarding both applications to CERT Polska and the Cyberspace Defense Forces Component Command in good time.
