Fraudsters have managed to sneak encryption apps into the Apple and Google app stores

According to a new report, fraudsters were able to introduce two fake apps into app stores operated by Google and Apple, which allowed them to encourage users to make bogus cryptocurrency investments.

Sophos researchers said they discovered Ace Pro and MBM_BitScan in the Google Play Store and Apple App Store. The apps are part of a scheme – now colloquially known as “hog butchering” – where fraudsters establish a relationship with victims, trick them into downloading an app and then finally depositing money into the app.

Jagadeesh Chandraiah, senior threat researcher at Sophos, said that in one case, fraudsters created a fake profile of a London woman living a lavish life. A victim was contacted and told to download the Ace Pro app – which masquerades as a QR code scanner.

But after downloading the app, users see a fraudulent crypto trading platform that prompts them to deposit cash. All deposited money goes directly to the scammers. One victim who contacted Sophos only discovered the apps were fraudulent after losing $4,000.

According to Chandraiah, the app’s entry into Apple’s App Store was the most surprising, given how difficult it is for malware to get past the company’s security review process. While other malicious apps have been found in the Play Store, this is the first time Sophos has found fraudulent apps in Apple’s store in its two years of investigating pig-slaughter scams.

In the past, scammers had to go through a lot more technical problems to trick Apple users into downloading fake apps, and many victims realized something was wrong when they couldn’t simply download an app.

“By putting an app on the App Store, fraudsters have greatly expanded the pool of potential victims, especially since most users already trust Apple,” said Chandraiah.

“Neither app is affected by iOS’s new Lockdown mode, which prevents fraudsters from loading mobile profiles that are useful for social engineering. In fact, these CryptoRom fraudsters may change their tactics—that is, focus on bypassing the App Store review process—in light of Lockdown’s security features.”

Redirected domain

Chandraiah explained that Sophos believes the fraudsters were able to bypass App Store security by connecting to a remote site with benign functionality when it was originally submitted for review. Chandraiah said the domain included a QR code to make it appear legitimate to app reviewers.

But once the app was approved, the fraudsters were able to redirect it to a domain registered in an anonymous Asian country.

The other app, MBM_BitScan, is known as BitScan on Google Play, and both apps communicate with the same Command and Control (C2) infrastructure, which communicates with a server that resembles a legitimate Japanese encryption company.

Sophos notified both Google and Apple about the apps, and both companies said they had removed them.

Apple did not respond to requests for comment. A Google spokesperson told The Record: “The Android app identified as malicious in the report has been removed from Google Play and the developer has been banned.”

Sophos was initially alerted to the scam apps by victims, triggering a two-year investigation into the trend. “Pig slaughter” scams have become extremely popular among cybercriminals as online dating has exploded and more people are becoming comfortable with sending digital money.

“CryptoRom and other forms of ‘pig slaughter’ initially attacked China and Taiwan. Early scams focused on online gambling with insider information, using tactics similar to CryptoRom. During the COVID-19 pandemic, scams have spread worldwide and evolved into fraudulent foreign exchange and cryptocurrency trading. As a ‘ShaZhuPan’ group, we are tracking this menace actor,” said Chandraiah.

“As Chinese authorities began to crack down on these scams and prosecute some of the perpetrators, some of the gangs behind them fled to smaller Southeast Asian countries, including Cambodia, where they now operate in special economic zones (SEZs).”

According to Sophos, the groups take advantage of lax money-laundering laws and people-trafficking in countries such as Cambodia. The economic disruption caused by COVID-19 forced many to accept job offers abroad, which eventually turned out to be scams and linked to pig slaughter.

Many – smuggled from countries such as India, China and Malaysia – had their passports confiscated and were forced to work for these operations to get their passports back. They are given a script to follow when approaching victims and instructions on how to get victims to send money.

Sophos noted that while it may seem amazing that anyone would fall for these scams, the victims they spoke to were almost always well-educated. Most victims noted that their relationships with the fraudsters lasted for months, allowing them to make little profit from their initial transactions on the fraudulent financial websites or apps.

Many of the scammers also share fake screenshots of the money they claim to earn on the scam platforms. The majority of victims who spoke to Sophos said they had recently experienced a major change in their lives and were emotionally vulnerable to this type of operation, where fraudsters contacted them daily and shared news about their daily lives.