A far-reaching scam has exploited counterfeit trading apps listed on the Apple App Store and Google Play Store, alongside phishing websites, to con victims, as revealed by findings from Group-IB.
This fraudulent scheme is part of a broader investment deception tactic, colloquially known as pig butchering, wherein unsuspecting individuals are coaxed into investing in cryptocurrencies or other financial ventures under the guise of a romantic connection or professional investment advice.
Such manipulative social engineering tactics often culminate in victims being stripped of their finances, sometimes even coerced into paying additional fees under various pretenses, only to be further deceived.
Group-IB, headquartered in Singapore, stated that the campaign has a global footprint, with casualties reported across Asia-Pacific, Europe, the Middle East, and Africa. The malicious apps, crafted using the UniApp Framework, have been grouped under the codename UniShadowTrade.
Active since at least mid-2023, the fraudulent operation entices users with promises of rapid financial gains through malicious apps. A remarkable facet of this campaign is that one of these apps managed to bypass Apple’s stringent App Store review process, lending it an air of authenticity and legitimacy.
The app, named SBI-INT, is no longer accessible on the app marketplace. However, it masqueraded as a utility for “commonly used algebraic mathematical formulas and 3D graphics volume area calculations.”
It is suspected that the criminals achieved this by embedding a check in the app’s source code that verified if the current date and time were earlier than July 22, 2024, 00:00:00, which triggered a fake screen displaying formulas and graphics.
After its eventual removal, the criminals shifted their focus to distributing the app through phishing websites, targeting both Android and iOS users.
“For iOS users, pressing the download button initiates the download of a .plist file, prompting iOS to request permission to install the app,” stated Group-IB researcher Andrey Polovinkin.
However, after the download is complete, the application cannot be launched immediately. Cybercriminals instruct victims to manually trust the enterprise developer profile, and once this process is done, the fraudulent app becomes operational.
Upon launching the app, users are greeted with a login screen that requires a phone number and password. The registration process also mandates an invitation code, implying that attackers are specifically targeting individuals for this scam.
Once registered, victims are ensnared in a six-step attack process where they are asked to provide identification documents, personal details, and employment information. They are then prompted to agree to the service’s terms and conditions, seemingly to invest.
After making their initial deposit, victims receive further instructions on which financial instruments to invest in, often guaranteed high returns, which convinces them to continue investing larger sums. The app is designed to falsely display increasing profits, keeping the illusion alive.
The scam unravels when victims attempt to withdraw funds, at which point they are asked to pay additional fees to recover their original investment and so-called profits. In reality, the funds are siphoned away to accounts controlled by the attackers.
A new tactic used by the malware authors includes embedding a configuration within the app that specifies the URL hosting the login page and other elements of the supposed trading platform.
This information is hosted on a URL associated with a legitimate service called TermsFeed, which provides tools for generating privacy policies, terms and conditions, and cookie consent forms.
“The first identified app, distributed via the Apple App Store, acts as a downloader, merely retrieving and displaying a web-app URL,” Polovinkin explained. “In contrast, the second app, delivered through phishing sites, contains the web-app within its assets.”
According to Group-IB, this strategy is designed to evade detection and reduce suspicion when the app is distributed through legitimate app stores.
The cybersecurity firm also uncovered another fake stock investment app on the Google Play Store, named FINANS INSIGHTS (com.finans.insights). Another app from the same developer, Ueaida Wabi, was FINANS TRADER6 (com.finans.trader).
Although neither Android app is currently available in the Play Store, statistics from Sensor Tower indicate they were downloaded fewer than 5,000 times. Japan, South Korea, and Cambodia were the primary regions for FINANS INSIGHTS, while Thailand, Japan, and Cyprus were the top areas where FINANS TRADER6 was distributed.
“Cybercriminals continue to exploit trusted platforms like the Apple App Store and Google Play to spread malware disguised as legitimate apps, capitalizing on users’ faith in secure ecosystems,” said Polovinkin.
“Victims are drawn in with the promise of effortless financial success, only to realize they cannot withdraw their funds after substantial investments. The use of web-based applications further conceals the malicious intent and complicates detection.”