The first fake applications used by cybercriminals to carry out “CryptoRom” scams have made it into the official Apple App Store. Cybersecurity firm Sophos discovered the apps after being approached by victims of the scams.
Sophos released the findings in its latest report, Fraudulent Trading Apps Sneak into Apple and Google App Stores. The report details the first fake CryptoRom apps — Ace Pro and MBM_BitScan — to successfully bypass Apple’s strict security protocols. Previously, cybercriminals used workaround techniques to convince victims to download illegitimate iPhone apps that were not sanctioned by the Apple App Store. Sophos immediately notified Apple and Google; both have since removed the fraudulent apps from their respective stores.
CryptoRom is an elaborate scam using a combination of romance-based social engineering and fraudulent crypto trading applications to swindle users out of millions. CryptoRom is a subset of a family of scams known as “sha zhu pan” (pig-butchering).
The actors behind these CrypoRom and other forms of “pig butchering” schemes are branching out: they initially targeted people in Taiwan and China. Starting during the Covid-19 pandemic, they began targeting people around the world.
According to reports by Chinese law enforcement organisations that targeted these operations in China, CryptoRom groups follow a business structure that mimics a corporate organisational model. At the top is a head office, which does supervision and money laundering. The head office sub-contracts scam operations to affiliate organizstions.
These franchise operations, also called agents, have their own division of labour:
- The “front desk” team handles logistics, human trafficking (more on this below) of new workers, and site management.
- The tech team handles websites and applications.
- The finance team handles the local finance operations; profits are divided 40:60 between the head office and franchise.
- Keyboarders are at the bottom of the crime chain and are the ones that do the majority of interaction with the victims.
“Many potential victims would be ‘alerted’ that something wasn’t right when they couldn’t directly download a supposedly legitimate app”. said Jagadeesh Chandraiah, senior threat researcher at Sophos. “By getting an application onto the App Store, the scammers have vastly increased their potential victim pool, particularly since most users inherently trust Apple,
“Both apps are also not affected by iOS’ new Lockdown mode, which prevents scammers from loading mobile profiles helpful for social engineering. In fact, these CryptoRom scammers may be shifting their tactics — ie, focusing on bypassing the App Store review process — in light of the security features in Lockdown.”
To lure the victim who was conned with Ace Pro, for instance, the scammers created and actively maintained a fake Facebook profile and persona of a woman supposedly living a lavish lifestyle in London. After building a rapport with the victim, the scammers suggested the victim download the fraudulent Ace Pro app and the cryptocurrency fraud unfolded from there.
The second victim lost $4,000 to the scam.
Ace Pro is described in the app store as a QR code scanner but is a fraudulent crypto trading platform. Once opened, users see a trading interface where they can supposedly deposit and withdraw currency. However, any money deposited goes directly to the scammers.
In order to get past App Store security, Sophos believes, the scammers had the app connect to a remote website with benign functionality when it was originally submitted for review. The domain included code for QR scanning to make it look legitimate to app reviewers. However, once the app was approved, the scammers redirected the app to an Asian-registered domain. This domain sends a request that responds with content from another host that ultimately delivers the fake trading interface.
MBM_BitScan is also an app for Android, but it is known as BitScan on Google Play. The two apps communicate with the same Command and Control (C2) infrastructure; this C2 infrastructure then communicates with a server that resembles a legitimate Japanese crypto firm. Everything else that is malicious is handled in a web interface, which is why it is hard for Google Play’s code reviewers to detect it as fraudulent.
CryptoRom, a subset of family of scams known as sha zhu pan (杀猪盘)—literally “pig butchering plate”—is a well-organized, syndicated scam operation that uses a combination of romance-centered social engineering and fraudulent crypto trading applications and websites to lure victims and steal their money after gaining their confidence. Sophos has been tracking and reporting on these scams that reap millions of dollars for two years.
Learn more at Fraudulent CryptoRom Trading Apps Sneak into Apple and Google App Stores on Sophos.com.