Fake Android, iOS apps promise lucrative investments while stealing your money

Hundreds of malicious cryptocurrency, stock, and banking apps have been discovered by researchers.

Researchers have discovered hundreds of malicious mobile apps that are exploiting interest in cryptocurrency and stocks to steal from victims. 

Sophos researchers said on Wednesday that a tip-off relating to a fake mobile trading app led to the discovery of a server containing "hundreds" of malicious trading, banking, foreign exchange, and cryptocurrency apps designed for the Android and iOS platforms. 

Mobility has meant that stock trading and investment opportunities are now widely available and far more accessible than before. Rather than having your money managed by a particular fund or agency in return for a fee, users can now select their own investments with a single swipe.

Social media has become a hotbed of pump-and-dump or "meme" stock chat and trading tips, and cryptocurrency, too, has become a popular topic of discussion for eager investors. 

However, the ease of downloading a mobile application to explore investment opportunities has also created an avenue for cybercriminals to exploit. 

According to Sophos, the apps found included counterfeit software created to impersonate well-known, legitimate, and trusted brands including Barclays, Gemini, Kraken, TDBank, and Binance. 

The operators have created dedicated websites linked to each individual app, tailored to appear as the impersonated organizations in an effort to improve the apparent legitimacy of the software -- and the likelihood of a scam being successful. 

Sophos' investigation into the apps began with a report of a single malicious app masquerading as a trading company based in Asia, Goldenway Group. 

The victim, in this case, was targeted through social media and a dating website and lured to download the fake app.

Rather than relying on mass spam emails or phishing, attackers may now also take a more personal approach and try to forge a relationship with their victim, such as by pretending to be a friend or a potential love match. Once trust is established, they will then offer some form of time-sensitive financial opportunity and may also promise guaranteed returns and excellent profits. 

However, once a victim downloads a malicious app or visits a fake website and provides their details, they are lured into opening an account or cryptocurrency wallet and transferring funds. Scammers will then vanish with the money and block their victims. 

Sophos says that the apps discovered on the server were being pushed through the same infrastructure and through a "Super Signature process" abused to bypass security protections and mechanisms used by official app repositories. 

In the case of iOS, the process -- designed for small app developers to conduct legitimate test deployments before submission -- requires a target device to download and install a manifest file to accept the package, and then the device's ID is sent to a registered developer account. An .IPA package containing the app is then pushed to the user for download. 

"While many of these Super Signature developer services may be targeted at helping legitimate small app developers, we found in our investigation that the malware used many such third-party commercial app distribution services," the researchers say. "These services offered options for 'One-click upload of App Installation' where you just need to provide the IPA file. They advertise themselves as an alternative to the iOS App Store, handling app distribution and registration of devices."

In some cases, the distribution services dropped web clips that added a link to a malicious web page directly to a victim's home screen rather than pushed IPA files. 

When it comes to Android abuse, users are asked to install and launch an app, create an account, and then begin trading. The apps appeared to be real and in some cases included elements such as cryptocurrency price tracking. However, wallets are either controlled by cybercriminals or the funds required to start trading are requested to be sent to bank accounts registered in Hong Kong.

It appears that Asia is primarily being targeted by the network, as one of the servers referenced in an app led to the discovery of uploaded records including ID cards, driver's licenses, passport photos, and more from nationals in South Korea, China, Malaysia, and Japan. 

"We believe the ID details could have been used to legitimize financial transactions and receipts by the crooks as a confirmation about the deposits from the victims," Sophos says. "We also found several profile pictures of attractive people likely used for creating fake dating profiles, which suggests that dating could have been used as a bait to lure victims."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0