These scary apps weren’t a Halloween prank but posed a real danger to your finances
Halloween is just around the corner, so it’s as good a time as any to relate the scary story of two apps available from both Apple and Google’s official App Store that packed a nasty surprise: emptying a user’s bank account of as much money as possible. Here’s what you need to learn from Group-IB’s report on a major pig-butchering trading app scam.
Large-Scale Fraud Uncovered As Fake Trading Apps Found On Apple & Google App Stores
Threat researchers at Group-IB are perhaps best known for recently helping Europol to take down a criminal network that unlocked 500,000 stolen smartphones. However, Group-IB has been digging into criminal enterprises for the longest time, and some are best described as downright scary. Take, for example, the newly published report Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users that details how a large-scale fraud campaign was able to target users with fake apps available from multiple sources, including the official Apple App Store and Google Play store.
Pig butchering, while something of an offensive term to myself as a vegan, is popularly applied to describe a scam whereby fraudsters entrap victims in an investment scheme, often involving cryptocurrency, which is designed to relieve them of as much money as possible through nefarious means. The rather disgusting term is applied to these scams as the victim has their trust built up by the attackers before moving in for the kill, in an analogous way to a pig being fattened up before slaughter. One thing such schemes are not new. However, that doesn’t mean they are not continually evolving, as Group-IB uncovered during its analysis.
The researchers noted that a number of these fake apps, developed mostly for the Android platform, used a cross-platform development framework. At least one app was found to be available on the Google Play store and another, this time developed for iOS, on Apple’s App Store. Rather than contain the usual malicious attributions that enable both Apple and Google security processes to detect and block such apps, these were carefully designed to have at least a facade of being a legitimate trading platform app.
How The Pig-Butchering Scams Worked
Group-IB determined that the frauds would begin with a period of social engineering reconnaissance and entrapment, during which the trust of the potential victim was gained through either a dating app, social media app or even a cold call, the attackers spent weeks on each target. Only when this “fattening up” process had reached a certain point would the fraudsters make their next move: recommending they download the trading app from the official App Store concerned. When it comes to the iOS app, which is the one that the report focussed on, Group-IB researchers said that the app remained on the App Store for several weeks before being removed, at which point the fraudsters switched to phishing websites to distribute both iOS and Android apps. The use of official app stores, albeit only fleetingly as Apple and Google removed the fake apps in due course, bestowed a sense of authenticity to the operation as people put trust in both the Apple and Google ecosystems to protect them from potentially dangerous apps. This sense of trust would extend beyond just the app itself and lend an air of trustworthiness to the attackers as a result.
All the applications that Group-IB discovered have been categorized as belonging to a single malware family which it has labeled UniShadowTrade.
Once an app is installed, and the victim enters their unique code that the attacker has already given them during the “fattening” stage, remember these are targeted attacks that use the App Store apps to leverage trust, they are required to follow several steps:
- Upload identification documents.
- Provide personal information.
- Provide job information.
- Agree to terms and conditions.
- Accept trading disclosures.
- Transfer funds to the trading account.
“Once the deposit has been made,” the researchers warned, “the cybercriminals take over and send further instructions, ultimately resulting in the theft of the victim’s funds.”
The initial apps, the ones uploaded to the official stores, masqueraded as a tool for mathematical formulas and was designed to be a downloader primarily. The second app, from the phishing sites people were directed to, contained the live web-app trading platform. “We believe this approach was deliberate,” Group-IB said, “since the first app was available in the official store, and the cybercriminals likely sought to minimize the risk of detection.”
Although these fraudulent apps have been removed from both Apple and Google app stores, users are urged to remain vigilant when it comes to anyone offering financial opportunities through social media channels. If something sounds to good to be true, it usually is.
I have reached out to both Apple and Google for a statement.
