Sophos, the Cybersecurity firm on Monday said it had discovered a stash of as many as 167 counterfeit apps that were being used by cybercriminals to steal money from users who believed they had installed legit financial trading, banking or cryptocurrency application in Android and iOS Platform.
Social Engineering Techniques
As per the cybersecurity firm, cybercriminals used familiar social engineering techniques, counterfeit websites, and a fake iOS App Store download page. They also used an iOS app-testing website to get users to download the fake applications.
Researchers discovered most of these fake applications were identical to each other. Some apps came with a customer support chat option. When contacted, they used near-identical languages as well. Researchers discovered a single server with 167 fake trading and cryptocurrency apps. Sophos believes these 167 apps are run by a single entity or group.
In one of the cases, scammers befriended users through a dating app. Scammers set up a profile and exchanged messages with an individual before getting them to download a fake application. When the individual tried to withdraw money or close the account, scammers simply shut their account access.
Individuals were targeted through sites that looked identical to a legitimate brand, such as a bank. Scammers even set up a fake app store download page to get individuals to download the app. The download page also featured customer reviews, which obviously were fake. When individuals downloaded the app, it opened as a mobile web app and was a shortcut to a fake website.
People trust the brands and people they know – or think they know – and the operators behind these fake trading and cryptocurrency scams ruthlessly take advantage of that.Jagadeesh Chandraiah, Sr. Researcher at Sophos
“The fake applications we uncovered impersonate popular and trusted financial apps from all over the world, while the dating site sting begins with a friendly exchange of messages to build trust before the target is asked to install a fake app. Such tactics make the fraud seem very believable.”
Methods to Avoid Such Apps
To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play and Apple’s app store. Developers of popular apps often have a web site, which directs the users to the genuine app. Users should verify if the app was developed by its genuine developer. We also advise users to consider installing an antivirus app on their mobile device, such as Sophos Intercept X for Mobile, which defend their device and data from such threats.
The distribution scheme used in these fraud campaigns poses a larger threat. The Super Signature process can be abused by crooks to install additional malware in a targeted way on vulnerable users’ devices. This threat could (and should) be mitigated by Apple, which could stop abuse of third-party app distribution by alerting users when Super Signature distribution is used to install apps, or when such ad-hoc distributed apps are in use on the device.