Deceptive Trading Applications Aim at Victims Worldwide through Apple App Store and Google Play
According to research by Group-IB, a widespread fraudulent scheme involved the exploitation of counterfeit trading apps on the Apple App Store and Google Play Store, alongside phishing websites, to deceive victims.
The scheme forms part of a consumer scam commonly referred to as pig butchering, where potential victims are enticed into investing in cryptocurrency or other financial products under the pretense of a romantic relationship or an investment advisor.
Such deceptive acts and manipulative ploys often result in victims losing their finances and, at times, extorting additional payments from them in the form of various fees.
The fraudulent campaign, known as UniShadowTrade, has a worldwide impact, with reported victims spanning Asia-Pacific, Europe, the Middle East, and Africa. The fraudulent applications, constructed using the UniApp Framework, fall under this category.
This operation has reportedly been active since at least mid-2023, attracting victims with malicious apps promising rapid financial gains. A noteworthy element of this threat is that one of the apps successfully bypassed Apple’s App Store review process, giving it an appearance of legitimacy and trust.
The now-unavailable SBI-INT app, misrepresented as a tool for “commonly used algebraic mathematical formulas and 3D graphics volume area calculation,” managed to achieve this exploit.
It’s suspected that the cybercriminals achieved this by implementing a check in the app’s source code to launch a fake screen containing formulas and graphics if the current date is before July 22, 2024, 00:00:00.
After its removal a few weeks post-release, the threat actors transitioned to disseminating the app, for iOS and Android, through phishing sites.
Group-IB researcher Andrey Polovinkin explained, “iOS users who click the download button will download a .plist file, which then prompts iOS to request permission for the app installation.”
“However, the app cannot be launched immediately after downloading. The cybercriminals instruct the victim to manually trust the Enterprise developer profile. Once this step is completed, the fake app becomes operational.”
Users who install and open the app are met with a login page, where they must enter their phone number and password. The registration necessitates the input of an invitation code, indicating that the scammers target specific individuals for their fraud.
Upon successful registration, victims are subjected to a six-step attack process that involves submitting identity documents, personal details, job information, agreeing to service terms, and making financial investments.
Subsequent to the deposit, the scammers provide further instructions on which financial instrument to invest in, promising exorbitant returns, duping users into pouring in more money. The app displays false gains to maintain the deception.
Trouble ensues when victims attempt to withdraw funds, as they are coerced into paying additional fees to retrieve their principal investments and supposed profits. In reality, the funds are siphoned off to accounts controlled by the criminals.
Another unique tactic employed by the cyber criminals is the utilization of an embedded configuration containing details about the login page URL and other facets of the purported trading application hosted within the app.
This configuration data is stored in a URL linked to TermsFeed, a legitimate service offering software for generating privacy policies, terms and conditions, and cookie consent banners.
“The first discovered application, released via the Apple App Store, acts as a downloader, merely fetching and displaying a web-app URL,” Polovinkin mentioned. “Conversely, the second application, obtained from phishing sites, already integrates the web-app within its assets.”
This strategy, according to Group-IB, is a deliberate effort by the criminals to evade detection and bypass security protocols when distributing the app through the App Store.
Additionally, the cybersecurity company identified a fraudulent stock investment app on the Google Play Store named FINANS INSIGHTS (com.finans.insights). Another app tied to the same developer, Ueaida Wabi, is FINANS TRADER6 (com.finans.trader).
Although these Android apps are no longer accessible on the Play Store, Sensor Tower data indicates they had fewer than 5,000 downloads. FINANS INSIGHTS was most popular in Japan, South Korea, and Cambodia, while FINANS TRADER6 catered primarily to users in Thailand, Japan, and Cyprus.
“Cybercriminals persist in leveraging reputable platforms like the Apple Store or Google Play to distribute malware disguised as legitimate apps, exploiting users’ trust in secure environments,” Polovinkin emphasized.
“Victims are enticed by the prospect of effortless financial gains, only to discover they cannot withdraw funds after substantial investments. The incorporation of web-based applications further obscures malicious activities, rendering detection more challenging.”
About Author
