Sophos researchers discovered hundreds of malicious cryptocurrency, stock, and banking apps targeting Android and iOS devices.
Researchers said on Wednesday that while investigating a fake mobile trading app, they found a server hosting “hundreds” of malicious banking, trading, foreign exchange, and cryptocurrency apps.
With the increased popularity of mobile banking and trading that allows users to easily select their investments with a single swipe, social media has become a hotbed of pump-and-dump schemes. However, cybercriminals have become active on social media, too, distributing fake mobile applications to later exploit victims and steal their funds.
Sophos has seen apps impersonating well-known, legitimate brands including Binance, Barclays, Gemini, TDBank, Kraken, and more.
The apps have dedicated websites that mimic the look and feel of impersonated organizations in an effort to raise the likelihood of a successful scam.
Sophos initially investigated a single fake app masquerading as an Asia-based trading company Goldenway Group. Hackers targeted victims on social media and a dating website prompting to download the fake app.
Researchers say the actors may adopt a more personal approach and try to foster a relationship with their victim.
“We also found several profile pictures of attractive people likely used for creating fake dating profiles, which suggests that dating could have been used as a bait to lure victims.”
For this, the threat actor acted as a friend or a potential love match, and at some point, shared a time-limited financial opportunity. The malicious app or a fake website prompts the victim to open a cryptocurrency wallet and transfer funds. Scammers will then appropriate the money and disappear.
Sophos says the actors abused a “Super Signature process” to bypass security protections employed by official app stores.
“While many of these Super Signature developer services may be targeted at helping legitimate small app developers, we found in our investigation that the malware used many such third-party commercial app distribution services,” the researchers say. “These services offered options for ‘One-click upload of App Installation’ where you just need to provide the IPA file. They advertise themselves as an alternative to the iOS App Store, handling app distribution and registration of devices.”
On iOS, criminals sometimes showed a link to a malicious web page directly on a victim’s home screen rather than in IPA files.
Whereas on Android devices, users are prompted to install an app and begin trading. However, wallets in such apps were controlled by cybercriminals. Sometimes cybercriminals required victims to send the funds for trading to a bank account registered in Hong Kong.
A server belonging to hackers and referenced in an app contained such victims’ records as ID cards, driver’s licenses, and passport photos from people in China, South Korea, Japan, and Malaysia.
“We believe the ID details could have been used to legitimize financial transactions and receipts by the crooks as a confirmation about the deposits from the victims,” Sophos says.