Despite Google and even Apple’s best efforts, malicious apps still manage to slip through their defenses and while normally we see more of these bad apps on the Play Store, this time a pair ended up on the App Store.
According to a new report (opens in new tab) from Sophos, a Chinese cybercriminal group named “ShaZhuPan” managed to get two cryptocurrency scam apps listed on Apple's App Store and another on the Play Store.
The apps in question are named “Ace Pro” and MBM_BitScan” for iOS and “BitScan” for Android. While they’ve all been removed from Google and Apple’s respective app stores, you will need to manually delete them if any of these apps are installed on your smartphone.
Pig butchering scam
In this campaign, Sophos says that the scammers behind it used Facebook and Tinder to target primarily male victims with stolen images from other social media platforms. BleepingComputer (opens in new tab) notes that all of these images showed off a lavish lifestyle with photos of fancy restaurants, expensive stores, exotic locations and of course — beautiful women.
Although the end goal of these malicious apps was to scam victims into investing in cryptocurrency, the cybercriminals that created them actually used a technique known as pig butchering throughout the operation. Pig butchering scams originated in China, and the idea behind them is to “fatten victims up and then take everything they’ve got” according to Wired (opens in new tab).
Once scammers gain a victim’s trust, they then said they had an uncle that works at a financial analysis company. Through this relative, they offer to trade cryptocurrency using an app on either the Play Store or App Store. These fake crypto apps looked like other trading apps and the fact that users were even able to withdraw small amounts of cryptocurrency at first, helped further build their trust. However, when they went to withdraw large amounts, the apps locked their accounts.
With a locked account, victims soon realized they wouldn’t be able to get any of the money back that they had invested into these fake crypto apps.
Bypassing Apple’s stringent security checks
Apple is known for having the most rigorous security checks when it comes to getting an app listed on its App Store.
To get around these restrictions, the ShaZhuPan cybercriminal gang first submitted the apps used in this campaign with a signed and valid certificate issued by Apple. Before the apps were approved, they connected to a harmless server and appeared to be legitimate. However, after they passed Apple’s review, the developers changed the domain and had the apps connect to a malicious server.
Once a victim launched one of these apps, they were presented with a crypto trading interface that was delivered from this malicious server. While everything else in the apps was fake, the deposits made by users weren’t.
Sophos also discovered that the BitScan apps for both Android and iOS have a different vendor name but use the same command and control (C&C) server to steal money from unsuspecting users.
How to stay safe from fraudulent apps
Even if you don’t sideload apps and only download new apps from official app stores, you can still inadvertently end up installing fraudulent or malicious apps. This is why you need to be extra careful when putting any new app on your phone.
You should always check app ratings and reviews in the App Store or Play Store before downloading, but you also want to look at external reviews as scammers have been known to create fake app reviews. For this reason, you want to find reviews on other sites. Video reviews showing off how an app works are even better. Also, it’s worth remembering that if an app seems too good to be true, it probably is.
If you have an Android phone, you want to ensure that Google Play Protect is enabled as it scans both your old and new apps for malware. Likewise, the best Android antivirus apps provide even more protection against malicious apps.
Now that ShaZhuPan has brought attention to how cybercriminals can get their malicious apps listed on the App Store, Apple may try to come up with a way to prevent app developers from changing the servers their apps point to after being approved.