Sophos was recently tipped off to a fraudulent mobile trading application that masqueraded as one tied to a well-known Asia-based trading company. As they investigated, they uncovered several other counterfeit versions of popular cryptocurrency trading, stock trading and banking apps on iOS and Android, all designed to steal from those fooled into using them.

These fraudulent applications are aimed at exploiting the increased interest in trading apps, driven by the recent significant rise in the value of cryptocurrencies and interest in low-cost or free stock trading driven by stories like that of the recent social-media driven speculation in GameStop stock.

In some cases, the schemes to distribute these applications leveraged social engineering through dating sites to lure in victims, and websites designed to look like those belonging to legitimate companies. These websites forwarded victims to third-party sites that delivered iOS mobile applications via configuration management schemes, iOS mobile device management payloads carrying ‘Web Clips’, or Android apps, depending on the device used.

“During investigation of one of the apps, Sophos encountered a server which was hosting hundreds of fake trading, banking, foreign exchange, and cryptocurrency apps. Among them were counterfeit apps impersonating major financial firms and popular cryptocurrency trading platforms, including Barclays, Gemini, Bitwala, Kraken, Binance, BitcoinHK, Bittrex, BitFlyer, and TDBank. Each of these fake apps had a dedicated website tailored to the impersonated brand to better fool potential victims,” says Ross Anderson, Sophos Product Development Manager at Duxbury Networking.

Sophos’ research began when the company was asked to investigate an application by a user who fell victim to a scam. According to the victim, the initial contact with the actors behind the app came through a social media and dating site.

The scammers befriended the victim, and shifted communications to a messaging app. They avoid requests for face-to-face meetings, citing the Covid-19 pandemic. After gaining trust, they then convinced the victim to download a cryptocurrency trading app, sending the victim a link. The link was to a page impersonating a Hong Kong based trading and investment company called Goldenway Group. The page had options to download both iOS and Android apps.

The scammers then walked the victim through the installation and encouraged the victim to buy cryptocurrency and transfer into their wallet. When the victim asked to withdraw the cryptocurrency, the scammers behind the fake persona at first started making excuses, and then finally blocked the victim’s account—with all the purchased cryptocurrency in the scammers’ possession.

As Sophos investigated the fraudulent Goldenway app, they discovered that the scheme was much more wide-ranging. They found hundreds of fake trading apps being pushed through the same infrastructure, each disguised to look like the official trading apps of different financial organisations.

“Some of the fake trading apps Sophos looked at had an interface with trading updates, wallets, fund and cryptocurrency deposit and withdrawal features that appeared to function just like their legitimate counterparts. The main difference, however, was that any transaction went into the pockets of the crooks instead,” says Anderson.

“Innocent people tend to put trust in things that are presented by someone they think they know.  And since these fake applications impersonate well-known apps from all over the world, the fraud is that more believable. If something seems too good to be true—promised high returns on investments, or professional-looking dating profiles asking to transfer money or crypto assets—it’s likely a scam,” he adds.

To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play and Apple’s app store. Developers of popular apps often have a website, which directs the users to the genuine app. Users should verify if the app was developed by its genuine developer. “We also advise users to consider installing an antivirus app on their mobile device, such as Sophos Intercept X for Mobile, which defends their device and data from such threats,” says Anderson.

The distribution scheme used in these fraud campaigns poses a larger threat. The Super Signature process can be abused by crooks to install additional malware in a targeted way on vulnerable users’ devices. This threat could (and should) be mitigated by Apple, which could stop abuse of third-party app distribution by alerting users when Super Signature distribution is used to install apps, or when such ad-hoc distributed apps are in use on the device.

Sophos detects these apps as Andr/FakeApp-DC, iPh/FakeApp-DD and iPh/FakeApp-DE. A full list of IOCs associated with the apps in this campaign is available on Sophos’ GitHub page.

A Defender’s View Inside a Darkside Ransomware Attack
The recent ransomware intrusion of a major US gasoline pipeline operator was the work of an affiliate of DarkSide, a ransomware-as-a-service ring that...
Creating a Plan for Responding to a Cyber-security Attack
After experiencing a breach, organisations often realise they could have avoided a lot of costs, pain, and disruption if only they had an effective in...