Analysis of Electroneum Cloud Mining
Electroneum is one of the first cryptocurrencies that allows users to mine coins with a mobile device. Electroneum’s Cloud Mining process refers to the activity of periodically rewarding users of their application with free ETN tokens that they can store or spend with ETN-accepting retailers. To create an Electroneum account and activate the cloud mining process, Electroneum requires its users to upload selfies with a predefined gesture or a drawing of a symbol. This project analyzed the device verification and authorization-related security measures employed by Electroneum. Based on the analysis, we mounted a device-emulation and app-impersonation attack that exploits Electroneum’s cloud mining process. We created non-existing selfies by relying on Generative Adversarial Network (GAN) techniques to bypass the selfie requirement during the account setup. Furthermore, we employed reverse engineering to develop a bot that simulates the genuine Electroneum application and maintains an arbitrary number of illegitimate accounts on one Android device, enabling the malicious user to obtain ETN token rewards illegitimately. Fully adhering to the responsible disclosure guidelines, we submitted a vulnerability disclosure regarding our findings to the Electroneum team. After responsible disclosure, the Cloud Mining feature was closed down. Therefore the described attack is no longer applicable.