A Global Scam Unfolds
A sophisticated global fraud campaign involving fake trading apps on the Apple App Store and Google Play Store has been uncovered, according to Group-IB. These fake apps, targeting cryptocurrency investors, have duped thousands of users across multiple continents. The campaign, known as “pig butchering,” is a type of consumer investment fraud where victims are lured with promises of high returns on cryptocurrency or financial investments.
Understanding Pig Butchering
Pig butchering scams, a term coined from the practice of slowly “fattening up” victims with trust and fake investment gains, are highly manipulative. In this campaign, victims are initially approached through romantic or financial advisor schemes. The criminals build trust and eventually convince the victims to invest in fake financial products using seemingly legitimate apps from trusted platforms. These scams often stretch over months, with cybercriminals engaging in consistent communication, much like a con artist grooming their prey.
Fake Apps: The Trojan Horse
What sets this scam apart is the utilization of official app stores, like Apple’s App Store and Google Play, to deliver malicious software disguised as legitimate financial tools. One app, SBI-INT, masqueraded as an algebraic mathematical tool with 3D graphics. This app passed Apple’s stringent review process, evading detection by delaying its malicious functionality until a specific date had passed. This shows how attackers can abuse legitimate platforms to create an illusion of security and trust.
Technical Workarounds: Bypassing Security Checks
Attackers used advanced methods to mask the true intent of their apps. For example, the app would display genuine content, such as mathematical formulas, until a predetermined date, when it would switch to a phishing interface to extract user data. Once detected, these apps were removed from the App Store, but the cybercriminals pivoted to phishing sites, allowing users to download the apps directly. For iOS users, downloading the app required them to trust an enterprise developer profile manually, a process most users are unfamiliar with but critical for bypassing Apple’s built-in security layers.
Android Targeting: Phishing Websites and .plist Files
The phishing sites used to distribute these fake trading apps targeted both Android and iOS users. For Android devices, the apps, such as FINANS INSIGHTS and FINANS TRADER6, were distributed through Google Play and other third-party sites. Android’s more open ecosystem made it easier for attackers to distribute malicious apps via .APK files. These files trick users by pretending to be legitimate trading platforms with a professional user interface, luring them into sharing personal data and depositing funds.
Victim Lure: The Illusion of Financial Success
Once victims downloaded these apps, they were asked to register, often requiring personal identification, such as job details and proof of identity. Once registered, victims were invited to make deposits with the promise of high financial returns. To maintain the facade, the app displayed fake profits, with rising investment balances and fabricated success stories. This social engineering technique is a common tactic used to create a sense of security and encourage users to invest even more money into the platform.
Withdrawal Trap: When Reality Hits
The real trouble begins when users attempt to withdraw their money. Instead of receiving their funds, they are presented with additional fees or verification requirements that must be met before the withdrawal can be processed. This leads victims to deposit even more money in hopes of recovering their original investment. However, these funds are quickly siphoned into attacker-controlled accounts, leaving the victim with nothing but mounting losses.
Global Reach: A Broad Spectrum of Targets
Group-IB’s investigation revealed that this campaign affected users globally, with victims in regions such as the Asia-Pacific, Europe, the Middle East, and Africa. Countries like Japan, South Korea, Cambodia, and Thailand were prime targets for the fake FINANS apps. The fraudulent apps, downloaded thousands of times, exploited the trust users place in platforms like Google Play and the Apple App Store.
Leveraging Web-Based Apps for Stealth
One of the key tactics used by the attackers was embedding the app’s configuration in legitimate services like TermsFeed. This approach allowed the attackers to distribute the app’s web-based interface without raising suspicion. The initial app, available through official stores, acted as a downloader, retrieving a web app URL that hosted the malicious content. This additional layer of deception made it harder for security teams to detect and shut down the operation.
Technical Sophistication: Avoiding Detection
The malicious actors employed several techniques to evade detection by app store security mechanisms. For instance, one app included a time-delayed activation of its malicious payload, allowing it to remain on the store for a longer period before being flagged. Additionally, the use of web-based apps hosted on legitimate services allowed attackers to mask their operations, ensuring that any takedowns of the apps themselves would not fully dismantle the infrastructure behind the fraud.
Phishing Sites: A Key Component
When apps were removed from the app stores, the cybercriminals quickly shifted to distributing them via phishing websites. These sites tricked users into downloading the apps by mimicking legitimate financial platforms. For iOS users, pressing the download button prompted the installation of a .plist file that enabled the app to bypass the usual App Store security procedures. This method allowed the attackers to continue distributing the fraudulent apps without relying on the official app stores.
False Sense of Security: The Power of Trust
The use of legitimate platforms, such as Apple’s App Store and Google Play, played a critical role in this scam’s success. Many users feel a false sense of security when downloading apps from these trusted sources, assuming that anything listed in these stores must be safe. Cybercriminals capitalized on this misplaced trust to exploit users on a massive scale. The reliance on platforms users trust reinforces the need for greater vigilance, even when using official app marketplaces.
Evasion Tactics: Adaptive and Persistent Threats
Once their apps were removed from the official app stores, attackers demonstrated their adaptability by pivoting to phishing sites and third-party platforms. The fraudsters consistently updated their distribution methods, ensuring that the operation continued despite takedowns and increased scrutiny from app store security teams. This adaptability highlights the persistent nature of these types of scams and the growing sophistication of cybercriminal operations.
Preventive Measures: Safeguarding Against Fake Apps
The key to avoiding these scams is user education and awareness. Users should be cautious when downloading apps, especially those promising high financial returns. Verifying the legitimacy of the platform and reading reviews can help users avoid falling into these traps. Additionally, enabling two-factor authentication (2FA) and using trusted financial platforms with a track record of security can mitigate the risk of being targeted by such scams.
A Persistent Threat
The rise of fake trading apps targeting global users through trusted platforms like the Apple Store and Google Play highlights the evolving tactics of cybercriminals. As fraudsters become more adept at exploiting these ecosystems, users must remain vigilant and skeptical of investment opportunities that seem too good to be true. With the global reach of this campaign, it is imperative for app stores and cybersecurity experts to implement stronger safeguards to prevent such scams from proliferating further.
By Vladimir Rene
