The cybersecurity company Sophos has published new research on the sophisticated financial fraud schemes known as CryptoRom scams, which take advantage of and dupe users of dating apps into making fictitious cryptocurrency investments.
The first bogus CryptoRom apps, Ace Pro and MBM BitScan, allegedly managed to get past Apple’s stringent security measures, according to Sophos’ most recent research, “Fraudulent Trading Apps Sneak into Apple and Google App Stores.”
It claims that in the past, fraudsters persuaded users to download unauthorized iPhone apps that were not authorized by the Apple App Store using workaround approaches.
According to Sophos, both Apple and Google were instantly contacted about the phony apps and both companies have now taken them down from their respective stores.
Jagadeesh Chandraiah, Senior Threat Researcher, Sophos, said: “In general, it’s hard to get malware past the security review process in the Apple App Store. That’s why, when we originally began investigating CryptoRom scams targeting iOS users, the scammers would have to persuade users to first install a configuration profile before they could install the fake trading app.”
“This obviously involves an additional level of social engineering—a level that’s hard to surmount. Many potential victims would be ‘alerted’ that something wasn’t right when they couldn’t directly download a supposedly legitimate app. By getting an application onto the App Store, the scammers have vastly increased their potential victim pool, particularly, since most users inherently trust Apple.”
Chandraiah added: “Both apps are also not affected by iOS’ new Lockdown mode, which prevents scammers from loading mobile profiles helpful for social engineering. In fact, these CryptoRom scammers may be shifting their tactics—i.e., focusing on bypassing the App Store review process—in light of the security features in Lockdown.”
He explained that the con artists constructed and actively maintained a bogus Facebook profile and persona of a woman who was purportedly leading a luxurious lifestyle in London in order to entice the victim, who was duped by Ace Pro, for example.
“After building a rapport with the victim, the scammers suggested the victim download the fraudulent Ace Pro app and the cryptocurrency fraud unfolded from there.
“Ace Pro is described in the app store as a QR code scanner but is a fraudulent crypto trading platform. Once opened, users see a trading interface where they can supposedly deposit and withdraw currency. However, any money deposited goes directly to the scammers,” he contuned.
Sophos thinks the scammers made the program connect to a remote website when it was first submitted for review in order to get past the App Store security.
To provide the domain a credible appearance to app reviewers, the domain also contained QR scanning code. However, after the app was accepted, the fraudsters changed its URL to point to a site registered in Asia. This domain makes a request, to which another server responds with content, ultimately delivering the phony trading interface.
MBM BitScan is also available as an Android app, although it is listed on Google Play under the name BitScan, claims Sophos.
According to the research, two apps connect with the same Command and Control (C2) infrastructure, which then does so with a server that appears to be a server for a real Japanese crypto company.
Because everything else is done through a web interface, it is challenging for Google Play’s code reviewers to identify it as fraudulent.
