Two fraudulent cryptocurrency investment applications that were able to bypass the protections put in place by Apple and Google to protect downloads from their mobile app stores have been removed, after being identified as involved in a so-called CyptoRom scam by researchers at Sophos.
In a report released today, Sophos senior threat researcher Jagadeesh Chandraiah described how the two malicious applications were likely able to sneak past the beady eyes of Apple and Google’s moderators by pretending to be something other than what they were.
The two apps, named as Ace Pro and MBM_BitScan, were both developed to be used in a CryptoRom scam, an elaborate type of financial fraud that preys on dating app users, using emotive lures to ensnare their victims and trick them into making fake cryptocurrency investments.
The appearance of the apps in Apple and Google’s store windows is a notable occurrence, he explained, because this is a feat that is usually quite hard to accomplish.
“In general, it’s hard to get malware past the security review process in the Apple App Store,” said Chandriah. “That’s why, when we originally began investigating CryptoRom scams targeting iOS users, the scammers would have to persuade users to first install a configuration profile before they could install the fake trading app.
“This obviously involves an additional level of social engineering – a level that’s hard to surmount,” he added. “Many potential victims would be ‘alerted’ that something wasn’t right when they couldn’t directly download a supposedly legitimate app.
“By getting an application onto the App Store, the scammers have vastly increased their potential victim pool, particularly since most users inherently trust Apple.”
Bypassing store review processes
In the case of Apple, he added, the apps were apparently unaffected by the recently launched iOS Lockdown Mode feature, one function of which is to stop scammers from loading mobile profiles helpful for social engineering. This may actually explain why the malware writers turned their attention to bypassing store review processes.
The first app, Ace Pro, is described in the app store as a QR code scanner, but when opened, users will see a trading interface to deposit and withdraw cryptocurrency – which in fact is merely a means to send money to the scammers.
It is suspected that to get around store security, the developers coded functionality whereby it connected to a remote website with benign functionality when they submitted it for review. The domain contained code that did indeed relate to QR scanning, which may have made it look legitimate. Once approved, they appear to have redirected the app to another domain, which contacted a third host to deliver the fake trading interface.
MBM_BitScan, also known as BitScan when found on Google Play, uses similar tactics in that it first communicates with a command and control (C2) infrastructure that then calls out to a server that resembles a legitimate, Japan-based crypto firm. The malicious activity itself is all handled in a web interface at this point, which seems to have been how it got through the moderation process as the app itself did little to raise any red flags.
In one case observed by Sophos in the autumn of 2022, the scammers running Ace Pro created a convincing fake Facebook profile for a supposedly wealthy woman living in London. This persona lured her victims with photos of her lavish lifestyle – likely stolen from the internet – including meals at high-end restaurants and shopping sprees at luxury stores. To keep things current, the persona often updated her profile with news stories referencing current events such as the death of Queen Elizabeth II, and liked and followed various UK-based businesses and organisations to maintain the illusion.
After successfully building a rapport with a victim who presumed they were onto a good thing, the scammers told them the woman’s uncle worked in a financial analysis firm, and invited them to trade in cryptocurrencies with her via the Ace Pro app. They sent detailed instructions on how to “invest” with the app, telling them first to transfer money into the Binance crypto exchange, and from there to the fake app.
In this case, the victim was at first able to withdraw some small amounts of cryptocurrency using Ace Pro, but later on, when they tried to withdraw more funds, the account was suddenly locked out, and a customer support rep – in reality the scammers – told them they would need to pay a 20% fee to access their funds.
Pig butchering
CryptoRom scams such as those run through Ace Pro and MBM_BitScan ultimately form part of a wider family of scams known as pig butchering plate, which is ultimately translated from the Chinese term sha zhu pan (杀猪盘).
They generally originate out of China, and sometimes Taiwan, and pre-Covid focused largely on gambling. However, during the pandemic, their operators started to expand globally and evolved into fraudulent foreign exchange and crypto trading. Many now rely on a combination of romance-themed social engineering and fake crypto apps to lure in their victims and steal their money after first gaining their confidence.
A crackdown by the Chinese authorities on such activity has also seen many of the operators relocate to more lenient jurisdictions in the Asia-Pacific region, Cambodia being especially favoured, according to Sophos.
Such scams are well organised with a structure reminiscent of a legitimate business, with a head office supervising and laundering the money, and subcontracting operations to affiliate groups who also have their own organisational structures handling websites and applications, financing, and at the bottom of the pile, the keyboard warriors who will ultimately interact with the victims.
There is also concerning evidence that many of the low-level operators are victims of human trafficking who had been promised high-paying jobs in Cambodia’s Special Economic Zones, but on arrival in the country had their passports taken from them. If they refuse to work or try to run away, they may become subject to violence.
Despite the disparaging name applied to them and a tendency to dismiss them as naïve or foolish, it is easy for pretty much anybody to fall victim to a pig butchering scam. Sophos’ researchers were able to speak to a number of victims and found they were in general sensible and well-educated people. Not all of them, as one might expect, were men.
What they do hold in common were characteristics such as emotional vulnerability – many of them had recently gone through a major life change, such as bereavement, divorce or illness, which can make people more susceptible to being manipulated into fraud.
In addition to his, pig butchering scammers tend to rely on the length of time they spend engaging with their victims, often many months, and other methods of building trust, such as constructing fake screenshots to prove they are also investing their money, and in this case, playing on the innate trust people have that the Apple App Store and Google Play Store are secure.
Giving the victim the ability to get a small amount of money back at the start of the scam as a promise of bigger riches to come is also a common tactic used to build trust in an offline Ponzi scheme, and likely played a role here.