Cybersecurity firm Sophos has identified a stash of 167 counterfeit Android and iOS apps that attackers are using to steal money from people who believe they have installed financial trading, banking or cryptocurrency app from a well-known and trusted organization.
The hackers use social engineering techniques and counterfeit websites to distribute these applications leveraged social engineering through dating sites to lure in victims, and websites designed to look like those belonging to legitimate companies. These websites forwarded victims to third-party sites that delivered iOS mobile applications via configuration management schemes, iOS mobile device management payloads carrying “Web Clips”, or Android apps depending on the device used.
A thorough research investigation by sophos identified Fake Android and iOS apps disguised as trading and cryptocurrency apps including a fake iOS App Store download page, and an iOS app-testing website to distribute the fake apps to unsuspecting users.
Some of them include included an embedded customer support “chat” option. When researchers tried to communicate with the support teams using the chat, the replies they received used near-identical language.
The researchers also uncovered a single server loaded with 167 fake trading and cryptocurrency suggesting that the scams could all be operated by the same group. The operators also distributed some of the fake iOS apps via third-party websites that help iOS developers test new applications with a limited number of Apple device users before they submit apps to the official App Store.
In one of the schemes investigated, the scammers befriended users via a dating app, setting up a profile and exchanging messages with individual targets before attempting to lure them into installing and adding money and cryptocurrency to a fake app. If targets later tried to withdraw funds or close the account, the attackers simply blocked their access.
In other cases, targets were caught through websites designed to resemble that of a trusted brand, such as a bank. The operators even set up a fake “iOS App Store” download page featuring fake customer reviews in order to convince targets they were installing an app from the genuine App Store.
The operators also distributed some of the fake iOS apps via third-party websites that help iOS developers test new applications with a limited number of Apple device users before they submit apps to the official App Store.
“People trust the brands and people they know – or think they know – and the operators behind these fake trading and cryptocurrency scams ruthlessly take advantage of that,” said Jagadeesh Chandraiah, a senior threat researcher at Sophos. “The fake applications we uncovered impersonate popular and trusted financial apps from all over the world, while the dating site sting begins with a friendly exchange of messages to build trust before the target is asked to install a fake app. Such tactics make the fraud seem very believable.
While there are steps most app store providers use to mitigate such acts like encouraging them to download cinrent from trusted app stores, some users find them too good to be a lie thus conifently installing them or realize later when they have been scammed.
Apple For instance, In 2020 alone, protected its customers from over $1.5 billion in potentially fraudulent transactions at the App store with the use of Apple’s combination of technology and human oversight.
The company further said, “Threats have been present since the first day the App Store launched on iPhone, and they’ve increased in both scale and sophistication. Apple has scaled its efforts to meet those threats, taking relentless steps forward to combat them”.