iOS and Android Security Scare: Two Apps Found Supporting 'Pig Butchering' Scheme (forbes.com) 31
"Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users."
That's the title of a new report released this week by cybersecurity company Group-IB revealing the official Apple App Store and Google Play store offered apps that were actually one part of a larger fraud campaign. "To complete the scam, the victim is asked to fund their account... After a few seemingly successful trades, the victim is persuaded to invest more and more money. The account balance appears to grow rapidly. However, when the victim attempts to withdraw funds, they are unable to do so."
Forbes reports: Group-IB determined that the frauds would begin with a period of social engineering reconnaissance and entrapment, during which the trust of the potential victim was gained through either a dating app, social media app or even a cold call. The attackers spent weeks on each target. Only when this "fattening up" process had reached a certain point would the fraudsters make their next move: recommending they download the trading app from the official App Store concerned.
When it comes to the iOS app, which is the one that the report focussed on, Group-IB researchers said that the app remained on the App Store for several weeks before being removed, at which point the fraudsters switched to phishing websites to distribute both iOS and Android apps. The use of official app stores, albeit only fleetingly as Apple and Google removed the fake apps in due course, bestowed a sense of authenticity to the operation as people put trust in both the Apple and Google ecosystems to protect them from potentially dangerous apps.
"The use of web-based applications further conceals the malicious activity," according to the researchers, "and makes detection more difficult." [A]fter the download is complete, the application cannot be launched immediately. The victim is then instructed by the cybercriminals to manually trust the Enterprise developer profile. Once this step is completed, the fraudulent application becomes operational... Once a user registers with the fraudulent application, they are tricked into completing several steps. First, they are asked to upload identification documents, such as an ID card or passport. Next, the user is asked to provide personal information, followed by job-related details...
The first discovered application, distributed through the Apple App Store, functions as a downloader, merely retrieving and displaying a web-app URL. In contrast, the second application, downloaded from phishing websites, already contains the web-app within its assets. We believe this approach was deliberate, since the first app was available in the official store, and the cybercriminals likely sought to minimise the risk of detection. As previously noted, the app posed as a tool for mathematical formulas, and including personal trading accounts within an iOS app would have raised immediate suspicion.
The app (which only runs on mobile phones) first launches a fake activity with formulas and graphics, according to the researchers. "We assume that this condition must bypass Apple's checks before being published to the store. As we can see, this simple trick allows cybercriminals to upload their fraudulent application to the Apple Store." They argue their research "reinforces the need for continued review of app store submissions to prevent such scams from reaching unsuspecting victims". But it also highlights "the importance of vigilance and end-user education, even when dealing with seemingly trustworthy apps..."
"Our investigation began with an analysis of Android applications at the request of our client. The client reported that a user had been tricked into installing the application as part of a stock investment scam. During our research, we uncovered a list of similar fraudulent applications, one of which was available on the Google Play Store. These apps were designed to display stock-related news and articles, giving them a false sense of legitimacy."
That's the title of a new report released this week by cybersecurity company Group-IB revealing the official Apple App Store and Google Play store offered apps that were actually one part of a larger fraud campaign. "To complete the scam, the victim is asked to fund their account... After a few seemingly successful trades, the victim is persuaded to invest more and more money. The account balance appears to grow rapidly. However, when the victim attempts to withdraw funds, they are unable to do so."
Forbes reports: Group-IB determined that the frauds would begin with a period of social engineering reconnaissance and entrapment, during which the trust of the potential victim was gained through either a dating app, social media app or even a cold call. The attackers spent weeks on each target. Only when this "fattening up" process had reached a certain point would the fraudsters make their next move: recommending they download the trading app from the official App Store concerned.
When it comes to the iOS app, which is the one that the report focussed on, Group-IB researchers said that the app remained on the App Store for several weeks before being removed, at which point the fraudsters switched to phishing websites to distribute both iOS and Android apps. The use of official app stores, albeit only fleetingly as Apple and Google removed the fake apps in due course, bestowed a sense of authenticity to the operation as people put trust in both the Apple and Google ecosystems to protect them from potentially dangerous apps.
"The use of web-based applications further conceals the malicious activity," according to the researchers, "and makes detection more difficult." [A]fter the download is complete, the application cannot be launched immediately. The victim is then instructed by the cybercriminals to manually trust the Enterprise developer profile. Once this step is completed, the fraudulent application becomes operational... Once a user registers with the fraudulent application, they are tricked into completing several steps. First, they are asked to upload identification documents, such as an ID card or passport. Next, the user is asked to provide personal information, followed by job-related details...
The first discovered application, distributed through the Apple App Store, functions as a downloader, merely retrieving and displaying a web-app URL. In contrast, the second application, downloaded from phishing websites, already contains the web-app within its assets. We believe this approach was deliberate, since the first app was available in the official store, and the cybercriminals likely sought to minimise the risk of detection. As previously noted, the app posed as a tool for mathematical formulas, and including personal trading accounts within an iOS app would have raised immediate suspicion.
The app (which only runs on mobile phones) first launches a fake activity with formulas and graphics, according to the researchers. "We assume that this condition must bypass Apple's checks before being published to the store. As we can see, this simple trick allows cybercriminals to upload their fraudulent application to the Apple Store." They argue their research "reinforces the need for continued review of app store submissions to prevent such scams from reaching unsuspecting victims". But it also highlights "the importance of vigilance and end-user education, even when dealing with seemingly trustworthy apps..."
"Our investigation began with an analysis of Android applications at the request of our client. The client reported that a user had been tricked into installing the application as part of a stock investment scam. During our research, we uncovered a list of similar fraudulent applications, one of which was available on the Google Play Store. These apps were designed to display stock-related news and articles, giving them a false sense of legitimacy."
What's the name of the dodgy app? (Score:5, Insightful)
I read this three times now and still don't know the name of the dodgy apps I should be on the lookout for. Considering just this morning my wife told me about some app I had never heard of that a friend of hers is using for investments, and that she wants to start using, this is a concern for me.
Re: (Score:3)
That is probably an effect of "litigation nation": The press is afraid to name and shame.
Re: (Score:2)
That, and also it's largely irrelevant in case of mobile apps.
Say, the app name is "This Is Totally Not A Scam App Pro". Tomorrow, it could be taken off and replaced with "Yet Another Not A Scam App Ultra". And do on.
Knowing one app name has zero impact on making people more secure from this kind of attack.
Knowing how to identify shady app behavior has a much larger impact, however there are so many gullible people out there, that's not going to be of much help either. Those who know how to protect themselv
Re: (Score:2)
Holding app store's companies accountable for any app that behaves inappropriately would be the best solution. And I mean FULL accountability. Good luck with that, though.
Indeed. Liability is the only thing that will reduce this crap to acceptable levels. Unfortunately we have some really large and really rich peddlers of crap software and the last thing they want is having to take responsibility for their crap.
Re: What's the name of the dodgy app? (Score:2)
Holding app store's companies accountable
What company? Yet another "Not a dodgy app store site"?
phishing websites to distribute both iOS and Android apps.
I didn't think tat this was possible ( or at least easy) with iOS.
Re: (Score:3)
Any trading platform that requires you to buy crypto money to trade is probably a scam.
Re:What's the name of the dodgy app? (Score:5, Insightful)
Any trading platform that requires you to buy crypto money to trade is probably a scam.
Anything that involves cryptocurrencies in any way is probably a scam. I mean, it's possible that it's not, but the odds aren't good.
Re: (Score:1)
They do not require crypto currencies.
They deduct dollars from your debit or credit card.
Then for what ever you buy, they fake the value and balance of your account.
Just like in a computer game.
Re: (Score:2)
Re: (Score:1)
It's called Robinhood. Or at least I've had the same issue with that app. When I signed up a few years ago I had to verify my identity and then I could simply login with a username and password the same as any other online service. Around a year ago I tried logging in again to check my tax info and I couldn't. Without notice they changed their login requirements. Now you have to either submit a copy of your license and biometrics or you have to directly give them access to your bank account (reporting
Re: (Score:1)
Actually I tried to login today and it worked this time. Had to set a pin. I guess someone listened to my complaint a few months ago and fixed it.
Re: (Score:1)
The solution is simple: Do not be a pig (Score:2)
If it looks to good to be true, it is. Stay away.
Re: (Score:2)
Agreed. But people (not all people, but a huge chunk) are, ahem "as greedy as a pig", as good ole Brick Top used to say.
Re: (Score:3)
Indeed. This is one thing the education system could fix, but refuses to: Teach how scams are done. And scams are not new or require the Internet. Sure, there is the "scam victim personality", people who are so disconnected from reality they will fall for scams time and again, but any reduction in scam victims will reduce the problem disproportionately.
But somehow a really important aspect of modern life is excluded in school. My theory is that too many politicos essentially run on the same model an
Re: (Score:2)
"American Gods" should be mandatory reading in every school.
Re: (Score:1)
"Insert bitcoin here for double-dee's"
People are easily distracted (Score:2)
A half-wary person would be asking what country those documents are going to, and what money-handling license the app publisher holds. In meat-space, landlords are demanding tax returns and annual 'security' deposits, now: If you don't want criminals getting rich, don't allow any random person to declare 'show me or else (you get nothing)'. In short, the privacy of people conducting business should be protected by law.
The app-user has essentially signed their life away. How short-sighted does one have t
For anyone who hasn't heard that name (Score:3)
wikipedia.org: Pig_butchering_scam [wikipedia.org]
Mmm... (Score:2)
Another scummy iOS app: ABC Sports (Score:2)
There's an easy solution to this problem (Score:3, Interesting)
Sue Apple for all monetary losses. Oh, and have the FTC drop a massive fine on them too.
Apple repeatedly touts [apple.com] how secure their app store is, and they've used "consumer security and privacy" [pymnts.com] as an excuse for their stringent App Store policies in legal defenses in lawsuits accusing them of monopolistic practices. Yet, they facilitate and profit from the fraud, whether it's getting a cut of app ad revenue, or app purchases, or in-app transactions, or through the sale of the phone used for the fraud itself. Whenever anyone points the finger at Apple for sharing some of the responsibility, Apple immediately turns to its terms of service [apple.com] and says "Apple is not responsible for customer purchases and use of the app store."
This another example of corporate abuse of consumers, where it's "Heads I win, tails you lose." Fuck our corporate overlords.
Re: (Score:3)
Something like IM Academy? (Score:1)
Making users think they are investing with an investment app while in reality it's all fake money and results?
Trust (Score:2)
seemingly trustworthy apps...
Apps aren't trustworthy. The people or oganizations behind them are. If you don't know who is standing behind the app, don't use it.
I wonder what would happen if the next time someone cold-calls me with such a deal, I request that they send me a copy of their drivers license and tax return first. I'll incur some hearing loss from their phone slamming down, I imagine.*
*I miss land lines. The certainty with which a call has been disconnected just cannot be estsblished with an iPhone.