Fraudulent trading apps have emerged as a significant threat to users in cyberspace. As these applications target and lure victims via lucrative ads on different “social media” and “messaging platforms.”
While all these scams promise high returns to users on their investments in reality, they lead to ‘huge financial losses’ to those who download the apps and invest their money.
Cybersecurity analysts at Group-IB recently warned of fraudulent trading apps from Apple and Google Play Store that steal login credentials.
Fraudulent Trading Apps
Since May 2024 researchers identified sophisticated cyber fraud operations involving fake trading apps on both major platforms “Android” and “iOS.”
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
It’s been identified that these apps have been using a cross-platform development framework called “UniApp” with “Vue.js” technology.
These applications were distributed through the “Google Play Store,” “Apple App Store,” and “phishing websites.”
.webp)
While all these are part of a scam that has been dubbed “pig butchering” where threat actors employ social engineering tactics via “dating apps” and “social media” platforms to exploit victims.
The technical architecture involves “WebSocket” connections for app-based trading and “HTTPS” for web browser access.
However, the apps themselves use “HTML5 WebView” to display web-based content.
To evade Apple’s security checks the iOS version offers evasion techniques (time-based trigger), and for sideloaded versions, it also requires “enterprise certificate trust enablement.”
.webp)
The malicious applications masquerade as “mathematical formula calculators,” “implement a multi-step fraud process requiring invitation codes,” “identity verification (ID/passport uploads),” and “personal information collection.”
.webp)
Unlike traditional banking trojans (GoldPickaxe, which was discovered in February 2024), these apps don’t contain explicit malicious code but rather serve as sophisticated deceptions, reads the Group-IB report.
They do so by using “TermsFeed” for legitimate-appearing legal agreements and supporting multiple languages like ‘English,’ ‘Portuguese,’ ‘Chinese,’ and ‘Hindi.’
This enables threat actors to “manipulate victims” into making significant deposits before preventing withdrawals.
Here the malware infrastructure operated through multiple domains, with “api.fxbrokers[.]cc” serving as the primary C2 server.
A notable discovery was the “com.ubsarov.ubsarovfx” package which is linked to the broader “UOBE FX” scam campaign.
The technical architecture utilized “web-based interfaces” to evade detection. The threat actors impersonated numerous legitimate trading platforms (FINANS INSIGHTS, Coinbase, and XTB, among others).
The sophistication of the scam lies in its ability to display real-time stock-related news and market data which creates a fake legitimate-looking environment.
After victims made investments via these fraudulent platforms the threat actors implement “withdrawal restrictions” to block and trap the users’ funds.
The infrastructure extended to domains like “gold-blockhain[.]cc,” this illustrates the extensive network and sophisticated domain registration patterns of the scam that are designed to “mimic legitimate financial institutions.”
Recommendations
Here below we have mentioned all the recommendations:-
For Financial Organizations:
- Use session monitoring.
- Educate customers on mobile malware and password safety.
- Protect logos and content with Digital Risk Protection.
- Use Threat Intelligence.
For End Users:
- Be cautious with mobile links.
- Avoid unsolicited messages from strangers.
- Verify investment/job platforms before committing.
- Install apps only from official sources.
- Don’t share personal/financial data with strangers.
- Stay updated on scam tactics.
- Beware of extraordinarily lucrative deals.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar