{"id":21128,"date":"2023-02-01T05:20:54","date_gmt":"2023-02-01T13:20:54","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/02\/01\/news-14861\/"},"modified":"2023-02-01T05:20:54","modified_gmt":"2023-02-01T13:20:54","slug":"news-14861","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/02\/01\/news-14861\/","title":{"rendered":"Fraudulent \u201cCryptoRom\u201d trading apps sneak into Apple and Google app stores"},"content":{"rendered":"

Credit to Author: Jagadeesh Chandraiah| Date: Wed, 01 Feb 2023 11:00:48 +0000<\/strong><\/p>\n

\n

 <\/p>\n

CryptoRom is a romance-centered approach to financial fraud and a form of what is also known as “pig butchering” or \u201csha zhu pan\u201d (\u6740\u732a\u76d8, literally \u201cpig butchering plate\u201d). This type of fraud uses social engineering in combination with counterfeit financial applications and websites to ensnare victims and steal their money. For the past two years, we’ve researched<\/a> such scams, and have examined ways that their operators have evaded Apple\u2019s security checks by avoiding the app store and using ad-hoc methods to drop malicious applications onto victims’ phones. Recently, we discovered CryptoRom apps that defeated Apple\u2019s and Google\u2019s app-store security review processes, making their way into the official stores. Victims of the scam alerted us to the applications and shared details of the criminal operations behind them. In the process of researching the applications, we found other apps and uncovered information about the organizations behind these scam operations.<\/p>\n

In both cases, victims were approached through dating applications (Facebook and Tinder). They were then asked to move their conversation to WhatsApp, where they were eventually lured into downloading the apps discussed in this report. While the highly developed profiles and backstories used to lure the victims into trusting the guidance provided by the criminals set the table for these scams, the ability to publish the apps used in these schemes in the official stores significantly contributed to their perceived credibility in the eyes of victims.<\/p>\n

Both Apple and Google have been notified about these apps. Apple\u2019s security team promptly removed them from that app store. Google recently removed the app we reported from the Play store as well.<\/p>\n

Luring victims through dating apps<\/strong><\/p>\n

In the first case we investigated, the victim was based in Switzerland.\u00a0The target met his “potential partner,” a person or persons who used a profile of a woman purportedly based in London, through Facebook Dating. As seen in the other cases, the scammer’s Facebook profile was replete with photos seeming to show a lavish lifestyle, including photos of high-end restaurants, expensive shops and destinations, and near-perfect and professional-looking selfies. It is very likely that the profile contents were purchased from a third-party vendor or were stolen from the internet.<\/p>\n

\"A<\/a><\/p>\n

Figure 1: The daily \u201clife\u201d of a nonexistent woman; some images were probably created by the scammers or by a paid provider, while others were likely stolen from elsewhere on the internet<\/em><\/p>\n

To maintain the appearance of being from London, the criminals behind the profile posted events from BBC News, such as Queen Elizabeth II’s\u00a0funeral, on the persona\u2019s Facebook timeline. The persona also “liked” and followed organizations that indicated interest in the BBC and well-known Western companies.<\/p>\n

\"A<\/a><\/p>\n

Figure 2: Check-ins and likes in the persona\u2019s profile helped the scammers build credibility for their creation<\/em><\/p>\n

After establishing a rapport, the criminals behind the profile told the victim that \u201cher\u201d uncle worked for a financial analysis firm, and invited the victim to do cryptocurrency trading together. At this point the scammers sent the victim a link to the fake application in the Apple app store. They instructed the victim in how to start “investing” with the application, telling them to transfer money to the Binance crypto exchange and then from Binance to the fake application.<\/p>\n

Initially, the victim was able to withdraw small amounts of cryptocurrency. But later, when the victim wanted to withdraw larger amounts, the account got locked and was told through a \u201ccustomer support\u201d chat in the application to pay a 20% fee (as shown in Figure 3) to access the cryptocurrency.<\/p>\n

\"A<\/a><\/p>\n

Figure 3: Once trust in the fake application has been established, the victim\u2019s ability to withdraw money is suddenly \u201clocked\u201d<\/em><\/p>\n

The second victim followed a similar path, with the difference that initial contact was through Tinder. The scammer asked to move the conversation to WhatsApp, and then prompted the victim to download a different fake app from the iOS App Store. The victim caught onto the scam, but only after losing $4,000 USD.<\/p>\n

Fake Apps in Apple App Store<\/strong><\/p>\n

Previously, iOS apps we\u2019ve seen associated with CryptoRom \/ pig butchering scams were deployed from outside the official Apple App Store via ad hoc distribution services. In order to get victims to install them, the criminals behind the scams\u00a0had to use social engineering\u2014 they had to convince the victims to install a configuration profile to enable app installation, a process that could potentially spook many targets. But in cases we\u2019ve investigated recently, applications used by the scammers were successfully placed into the Apple App Store, greatly reducing the amount of social engineering required to get the application onto victims’ devices.<\/p>\n

The first of these applications appeared on first inspection to have no connection to cryptocurrency; called “Ace Pro,” the app was described in its app-store page as a QR code-checking application.<\/p>\n

\"A<\/a><\/p>\n

Figure 4: The app-store download page for Ace Pro, since removed <\/em><\/p>\n

The machine translation of the text (from Slovak):<\/p>\n

\"Ace Pro\" per application, which converts QR code information of fast driving through   driving information. It's simple to upload and easy to use. It can transform your   train information very well, allowing you to quickly pass through the ride. Save time...\"<\/pre>\n
The privacy policy for the application also describes it as a “QR Check” application.<\/p>\n
\"The<\/a><\/p>\n
Figure 5: The Ace Pro privacy policy<\/em><\/p>\n
The second CryptoRom application we discovered in Apple\u2019s app store was called \u201cMBM_BitScan,\u201d described in the store listing as a real-time data tracker for cryptocurrencies. But it also has a fake cryptotrading interface. One victim lost around $4000 to this fake application.<\/p>\n
\"The<\/a><\/p>\n
Figure 6: The app-store download page for MBM_BitScan, since removed<\/em><\/p>\n
Both of these applications managed to get past the Apple App Store review process. All applications that are installed via the Apple App Store must be signed by the developer using a certificate provided by Apple<\/a>, and must go through a stringent review process to verify that they follow the App Store guidelines.<\/a><\/p>\n
If criminals can get past these checks, they have the potential to reach millions of devices. This is what makes it more dangerous for CryptoRom victims, as most of those targets are more likely to trust the source if it comes from the official Apple App Store.<\/p>\n
Evading App Store Review<\/strong><\/h3>\n
\"A<\/a><\/p>\n
Figure 7: How fraudulent applications likely evaded the Apple review process.<\/em><\/p>\n
Both the apps we found used remote content to provide their malicious functionality\u2014content that was likely concealed until after App Store review was complete.<\/p>\n
In the case of the Ace Pro app, the malicious developers inserted code related to QR checking and other iOS app library code in the app to make it appear legitimate to reviewers.\u00a0 But when the app is launched, it sends a request to an Asian-registered domain (rest[.]apizza[.]net), which responds with content from another host (acedealex[.]xyz\/wap). It is this response that delivers the fake CryptoRom trading interface. It is likely that the criminals used a legitimate-looking site for responses at the time of the app review, switching to the CryptoRom URL later.<\/p>\n
\"Split-screen<\/a><\/p>\n
Figure 8: <\/em>The captured web request and response from the Ace Pro app<\/em><\/p>\n
The MBM_BitScan app uses a similar approach. On execution, it sends a JSON request to a \u00a0command-and-control (C2) server hosted on Amazon Web Services, and gets a response from a domain called flyerbit8(.)com \u2014a domain crafted to look like that of legitimate Japanese bitcoin vendor bitFlyer<\/a>:<\/p>\n
\"Split-screen<\/a><\/p>\n
Figure 9: <\/em>The web request made by the MBM_BitScan app, and the response delivering the JSON package\u00a0 containing the URL of the malicious website serving up the fake trading app<\/em><\/p>\n
This review evasion technique, which is connected to click-fraud malware, has been seen previously by other researchers in fake iOS applications dating back to 2019 .<\/p>\n
Fake Crypto Interfaces<\/strong><\/h3>\n
The remote content displayed within these applications is similar to other CryptoRom and pig butchering scam applications we\u2019ve seen. Both have a working-but-fake trading interface with the purported ability to deposit and withdraw currency, as well as a built-in customer service function. But all the deposits go into the crooks\u2019 pockets rather than an actual trading account.<\/p>\n
\"Multiple<\/a><\/p>\n
Figure 10: <\/em>The trading interface in the Ace Pro app<\/em><\/p>\n
\"A<\/a><\/p>\n
Figure 11: The MBM_BitScan<\/em> fake-application interface, with an option to buy crypto<\/em><\/p>\n
Because these trading interfaces are loaded at runtime, and because the entirety of the malicious content of the applications resides on the web server and not in application code, it is challenging for app stores to review and find these fake applications. \u00a0They\u2019re difficult to identify as fraudulent by reviewers by just viewing the code. And since they will likely only be used by people targeted by the scams, they will only get reported by targeted users who are familiar with legitimate versions of the applications and have an understanding of cryptocurrency. \u00a0Because of these factors, these types of fake applications will continue to pose a significant challenge to Apple\u2019s app security reviewers.<\/p>\n
Google Play Store application <\/strong><\/p>\n
The Google Play Store version of MBM_BitScan has a different vendor name and different title than that of the Apple version. However, it communicates with the same C2 as the iOS version of the app, and likewise accesses the domain that hosts the fake trading interface via JSON. It receives flyerbit8<dot>com, which as noted above resembles the legitimate Japanese crypto firm bitFlyer. Everything else is handled in the web interface.<\/p>\n
\"Screen<\/a><\/p>\n
Figure 12: The MBM_BitScan app as seen on Google Play Store<\/em><\/p>\n
\"A<\/a><\/p>\n
Figure 13: The Android version of the MBM_BitScan app\u2019s getUrl method, with an AWS-based URL that fetches the JSON data containing the CryptoRom interface<\/em><\/p>\n
The actors behind CryptoRom rings<\/strong><\/p>\n
CryptoRom and other forms of \u201cpig butchering\u201d initially targeted<\/a> people in China and Taiwan. Early scams focused on online gambling with insider information, using similar tactics to CryptoRom. Over the course of the COVID-19 pandemic, the scams expanded globally and evolved into fraudulent foreign exchange and cryptocurrency trading. We are tracking this threat actor as the \u201cShaZhuPan\u201d group.<\/p>\n
When Chinese authorities started cracking down on these scams and prosecuted some perpetrators, some of the gangs behind them fled to smaller southeast Asian countries, including Cambodia<\/a>, where they now operate<\/a> in special economic zones (SEZ<\/a>).<\/p>\n
According to reports<\/a> by Chinese law enforcement organizations who targeted<\/a> these operations in China, CryptoRom groups follow a business structure that mimics a corporate organizational model. At the top is a head office, which does supervision and money laundering. The head office sub-contracts scam operations to affiliate organizations. These franchise operations, also called agents, have their own division of labor:<\/p>\n