Operators of high-yielding investment scams known as “pig butchering” have found a way to bypass the defenses in Google Play and Apple’s App Store, the official repositories for Android and iOS apps.
Pig butchering scams have been happening for a few years. They use involve fake websites, malicious advertising, and social engineering. By adding fraudulent apps to official download platforms, scammers can gain a victim’s trust easier.
Researchers at cybersecurity company Sophos say that the scammers are targeting victims on Facebook or Tinder and convince them to download the fraudulent apps and “invest” large amounts of money into assets purported to be real.
Sophos observed such a campaign from a China-based threat group named “ShaZhuPan,” which shows high organizational levels with distinct teams doing victim interaction, finance, franchise, and money laundering.
The fraudsters appear to target male users over Facebook and Tinder using women’s profiles with stolen images from other social media accounts.
The profiles the scammers control were built to reflect a lavish lifestyle, with photos of high-end restaurants, expensive shops, and exotic locations.
After gaining the victims’ trust, the scammers say that they have an uncle working for a financial analysis firm and launch an invitation to trade cryptocurrency via an app on Play Store or App Store. Obviously, the victim is directed to a fake app.
The fraudsters guide the victim through their first investment, instructing them to create a deposit on the legitimate cryptocurrency exchange platform Binance and then transfer the amount to the fake app.
“Pig butchering” apps
The malicious apps used in the campaign that Sophos observed are named “Ace Pro” and “MBM_BitScan” on the Apple App Store and “BitScan” on Play Store.
The apps let the victim withdraw small amounts of cryptocurrency initially but then lock their accounts when larger amounts are involved. However, the initial withdrawal is enough to make the victims trust the scheme and keep investing.
The method used to bypass the security checks in the mobile apps stores is quite simple. For infiltrating the App Store, the ShaZhuPan gang submits an app signed with a valid certificate issued by Apple, a requirement for getting any code to be accepted into the iOS repository.
Until the approval is obtained, the app connects to a benign server and its behavior is legitimate. Once it passes the review, the developer changes the domain and the app connects to a malicious server.
After launching the app, the victim sees a cryptocurrency trading interface delivered from the malicious server. However, everything displayed is fake, except for the user’s deposit.
Sophos researchers discovered that the BitScan apps for Android and iOS have a different vendor name but communicate with the same command and control server, from a domain that appears to impersonate bitFlyer, a legitimate cryptocurrency exchange company in Japan.
Because these apps are only downloaded by a small number of targeted users, they’re not massively reported for fraud, making it hard for app store security reviewers to identify them as fraudulent and remove them.
Don’t get scammed
Pig butchering scams yield high profits in a short time, so the scammers are motivated to put in the time and effort to gain the trust of their victims through extensive communication.
This lengthy engagement, the initial withdrawal, and the convincing interface in the fake apps make it difficult for the victim to see through the scam.
Sophos also points out that the emergence of “FinTech” has normalized people’s trust in these software tools and when the apps are sourced from official Apple and Google stores, the sense of legitimacy is high.