A large-scale fraud campaign used fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to trick victims findings from Group-IB.
The company is part of a consumer investment fraud scheme, also commonly known as butchering of pigsin which potential victims are lured into investing in cryptocurrency or other financial instruments after gaining their trust under the guise of a romantic relationship or investment advisor.
Such manipulative and social engineering operations often end up with victims losing their funds, and in some cases extorting even more money from them by asking for various fees and other payments.
The Singapore-headquartered company said the campaign has a global reach, with victims reported in the Asia-Pacific region, Europe, the Middle East and Africa. Fake apps created using the UniApp Framework have been classified under an alias UniShadowTrade.
The cluster of activities is said to have been active since at least mid-2023, luring victims of the malware with the promise of quick financial gain. A notable aspect of the threat is that one of the apps even managed to pass the Apple App Store verification process, giving the illusion of legitimacy and trust.
The program in question SBI-INTis no longer available for download from the app marketplace, but it claimed to be software for “commonly used algebraic math formulas and 3D graphics volume area calculation”.
Cybercriminals are believed to have achieved this by using a program source code checker that checked if the current date and time was earlier than July 22, 2024, 00:00:00, and if so, launched a fake screen with formulas and graphs.
But after it was taken down a few weeks after publication, the threat actors behind the operation are said to have moved on to distributing the app for both Android and iOS via phishing sites.
“For iOS users, pressing the download button triggers the download of a .plist file, causing iOS to request permission to install the app,” Group-IB researcher Andrei Palavinkin said.
“However, once the download is complete, the application cannot be launched immediately. The cybercriminals then instruct the victim to manually trust the Enterprise developer profile. Once this step is completed, the fraudulent app starts working.”
Users who eventually install the app and open it are greeted with a login page that requires them to enter their phone number and password. The sign-up process involves entering an invitation code into the app, suggesting that the attackers are targeting specific individuals to carry out the scam.
Successful registration initiates a six-step attack process in which victims are asked to provide proof of identity, personal information and current employment details, and are then asked to agree to the terms of service in order to make an investment.
After making a deposit, cybercriminals send further instructions on which financial instrument to invest in and often guarantee that they will bring high returns, thereby tricking users into investing more and more money. To maintain the ruse, the app is rigged to show their investment as income.
The trouble starts when the victim tries to withdraw, at which point they are asked to pay additional fees to get back their original investment and supposed profits. In reality, the funds are stolen and redirected to accounts controlled by the attackers.
Another new tactic adopted by malware authors is the use of embedded configuration, which includes the specifics of the URL where the login page resides and other aspects of the intended merchant application running within the application.
This configuration information is located in the URL associated with the legitimate service named Terms of Feed which offers compliance software for creating privacy policies, terms and cookie consent banners.
“The first discovered app distributed through the Apple App Store functions as a bootloader by simply finding and displaying the URL of a web application,” Palavinkin said. “In contrast, the second app downloaded from the phishing websites already contains the web app in its assets.”
According to Group-IB, this is a deliberate approach taken by threat actors to minimize the chances of detection and avoid alarms when an app is distributed through the App Store.
In addition, the cyber security company said it detected one of the fake stock investing apps on the Google Play Store called FINANCE (com.finance.insights). Another app related to the same developer, Ueaida Wabi, is FINANCIAL Trader6 (com.finans.trader)
Although both Android apps are missing from the Play Store, Sensor Tower statistics show that they have been downloaded less than 5,000 times. Japan, South Korea and Cambodia were the three countries served by FINANS INSIGHTS, while Thailand, Japan and Cyprus were the main regions where FINANS TRADER6 was available.
“Cybercriminals continue to use trusted platforms such as the Apple Store or Google Play to distribute malware disguised as legitimate software, exploiting users’ trust in secure ecosystems,” Palavinkin said.
“Victims are lured in by the promise of easy financial gain, only to find they cannot withdraw funds after making a significant investment. The use of web applications further hides malicious activity and makes detection more difficult.”
