The first fake CryptoRom apps—Ace Pro and MBM_BitScan—have successfully bypassed Apple’s strict protocols, according to Sophos’ report Fraudulent Trading Apps Sneak into Apple and Goole App Stores.
The report revealed findings on CryptoRom scams—elaborate financial fraud schemes that prey on and trick dating app users into making fake cryptocurrency investments.
Previously, cybercriminals used workaround techniques to convince victims to download illegitimate iPhone apps that were not sanctioned by the Apple App Store.
Sophos immediately notified Apple and Google; both have since removed the fraudulent apps from their respective stores.
|
“In general, it’s hard to get malware past the security review process in the Apple App Store. That’s why, when we originally began investigating CryptoRom scams targeting iOS users, the scammers would have to persuade users to first install a configuration profile before they could install the fake trading app. This obviously involves an additional level of social engineering—a level that’s hard to surmount. Many potential victims would be ‘alerted’ that something wasn’t right when they couldn’t directly download a supposedly legitimate app. By getting an application onto the App Store, the scammers have vastly increased their potential victim pool, particularly since most users inherently trust Apple,” explained Sophos senior threat researcher Jagadeesh Chandraiah.
“Both apps are also not affected by iOS’ new Lockdown mode, which prevents scammers from loading mobile profiles helpful for social engineering. In fact, these CryptoRom scammers may be shifting their tactics—i.e., focusing on bypassing the App Store review process—in light of the security features in Lockdown.”
To lure the victim who was conned with Ace Pro, for instance, the scammers created and actively maintained a fake Facebook profile and persona of a woman supposedly living a lavish lifestyle in London.
After building a rapport with the victim, the scammers suggested the victim download the fraudulent Ace Pro app and the cryptocurrency fraud unfolded from there.
Ace Pro is described in the app store as a QR code scanner but is a fraudulent crypto trading platform. Once opened, users see a trading interface where they can supposedly deposit and withdraw currency. However, any money deposited goes directly to the scammers.
In order to get past App Store security, Sophos believes the scammers had the app connect to a remote website with benign functionality when it was originally submitted for review.
The domain included code for QR scanning to make it look legitimate to app reviewers. However, once the app was approved, the scammers redirected the app to an Asian-registered domain. This domain sends a request that responds with content from another host that ultimately delivers the fake trading interface.
MBM_BitScan is also an app for Android, but it is known as BitScan on Google Play, according to Sophos. The two apps communicate with the same Command and Control (C2) infrastructure; this C2 infrastructure then communicates with a server that resembles a legitimate Japanese crypto firm. Everything else that is malicious is handled in a web interface, which is why it is hard for Google Play’s code reviewers to detect it as fraudulent.
CryptoRom, a subset of family of scams known as sha zhu pan (杀猪盘)—literally “pig butchering plate”—is a well-organised, syndicated scam operation that uses a combination of romance-centred social engineering and fraudulent crypto trading applications and websites to lure victims and steal their money after gaining their confidence.
Sophos has been tracking and reporting on these scams that reap millions of dollars for two years.
This first appeared in the subscription newsletter CommsWire on 3 February 2023.
ENABLE HYBRID CLOUD & REDUCE NETWORK LATENCY WHITEPAPER
Hybrid cloud promises to bring together the best of both worlds enabling businesses to combine the scalability and cost-effectiveness of the cloud with the performance and control that you can get from your on-premise infrastructure.
Reducing WAN latency is one of the biggest issues with hybrid cloud performance. Taking advantage of compression and data deduplication can reduce your network latency.
Research firm, Markets and Markets, predicted that the hybrid cloud market size is expected to grow from US$38.27 billion in 2017 to US$97.64 billion by 2023.
Colocation facilities provide many of the benefits of having your servers in the cloud while still maintaining physical control of your systems.
Cloud adjacency provided by colocation facilities can enable you to leverage their low latency high bandwidth connections to the cloud as well as providing a solid connection back to your on-premises corporate network.
Download this white paper to find out what you need to know about enabling the hybrid cloud in your organisation.
PROMOTE YOUR WEBINAR ON ITWIRE
It’s all about Webinars.
Marketing budgets are now focused on Webinars combined with Lead Generation.
If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.
The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.
Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.
We look forward to discussing your campaign goals with you. Please click the button below.
