Sophos, a global company in innovating and delivering cybersecurity as a service, today released new findings on CryptoRom scams—elaborate financial fraud schemes that prey on and trick dating app users into making fake cryptocurrency investments—in its latest report, “Fraudulent Trading Apps Sneak into Apple and Google App Stores.”
The report outlines the first fake CryptoRom applications, Ace Pro and MBM BitScan, that were able to get past Apple’s stringent security measures. In the past, fraudsters persuaded victims to download illegal iPhone apps that were not authorised by the Apple App Store using workaround approaches. Sophos alerted Apple and Google right away, and both companies have subsequently taken the bogus apps down from their respective stores.
Jagadeesh Chandraiah, senior threat researcher, Sophos said “In general, it’s hard to get malware past the security review process in the Apple App Store. That’s why, when we originally began investigating CryptoRom scams targeting iOS users, the scammers would have to persuade users to first install a configuration profile before they could install the fake trading app. This obviously involves an additional level of social engineering—a level that’s hard to surmount. Many potential victims would be ‘alerted’ that something wasn’t right when they couldn’t directly download a supposedly legitimate app.
By getting an application onto the App Store, the scammers have vastly increased their potential victim pool, particularly since most users inherently trust Apple.”
Chandraiah added “Both apps are also not affected by iOS’ new Lockdown mode, which prevents scammers from loading mobile profiles helpful for social engineering. In fact, these CryptoRom scammers may be shifting their tactics—i.e., focusing on bypassing the App Store review process—in light of the security features in Lockdown.”
To lure the victim who was conned with Ace Pro, for instance, the scammers created and actively maintained a fake Facebook profile and persona of a woman supposedly living a lavish lifestyle in London. After building a rapport with the victim, the scammers suggested the victim download the fraudulent Ace Pro app and the cryptocurrency fraud unfolded from there.
Ace Pro, as advertised on the app store, is claimed to be a QR code scanner but it’s a fraudulent cryptocurrency trading platform. When launched, users are presented with a fake trading interface where they can deposit and withdraw funds. In reality, any funds deposited go directly to the scam artists. Sophos believes the scammers used a sneaky tactic to get past the App Store security checks. The app was initially submitted to the store with a connection to a remote website that had legitimate functionality. The code included the functionality of QR scanning to make it seem credible to the app reviewers. Once the app was approved, the scammers redirected it to a domain registered in Asia. This domain sends a request that retrieves content from another host, which displays the fake trading interface.
MBM BitScan is another Android app, although BitScan is its name in Google Play. The same Command and Control (C2) infrastructure connects the two apps, and this C2 infrastructure subsequently connects to a server that resembles a real Japanese crypto business. Because everything else is done through a web interface, it is challenging for Google Play’s code reviewers to identify it as fraudulent.
CryptoRom, a subset of a family of scams known as sha zhu pan (杀猪盘)—literally “pig butchering plate”—is a well-organized, syndicated scam operation that uses a combination of romance-centred social engineering and fraudulent crypto trading applications and websites to lure victims and steal their money after gaining their confidence. Sophos has been tracking and reporting on these scams that reap millions of dollars for two years.