A large-scale fraud campaign used fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims, according to Group-IB’s findings.
This campaign is part of a broader consumer investment fraud scheme, commonly referred to as “pig butchering.” In this scheme, victims are enticed to invest in cryptocurrency or other financial instruments, often after building trust under the guise of a romantic relationship or as advice from a supposed investment expert.
These manipulative social engineering tactics typically result in victims losing their funds, and in some cases, being coerced into making additional payments by requesting various fees.
Group-IB, based in Singapore, stated that the campaign has a global reach, with victims reported in Asia-Pacific, Europe, the Middle East, and Africa. The fraudulent apps, developed using the UniApp Framework, are identified under the name UniShadowTrade.
This group has been active since mid-2023, luring victims with malicious apps that promise quick financial returns. A significant aspect of this threat is that one of the apps managed to bypass Apple’s App Store review process, granting it a false sense of legitimacy.
The app, named SBI-INT, is no longer available for download, but it initially posed as software for calculating algebraic formulas and 3D graphics volume areas. It is believed the app included a mechanism that displayed a fake screen with mathematical formulas if opened before July 22, 2024, 00:00:00.
After its removal, the threat actors shifted to distributing the app for both Android and iOS via phishing sites.
“For iOS users, pressing the download button triggers the download of a .plist file, prompting iOS to ask for permission to install the application,” explained Group-IB researcher Andrey Polovinkin.
Once the app is downloaded, victims are instructed to manually trust the Enterprise developer profile before the fraudulent app becomes operational.
Upon opening the app, victims are greeted with a login page asking for their phone number and password. The registration process requires an invitation code, suggesting the attackers are targeting specific individuals.
After successful registration, victims undergo a six-step process in which they are asked to provide identification, personal details, and employment information before agreeing to the service’s terms to proceed with their investments.
Once victims make deposits, they receive instructions on which financial instrument to invest in, with promises of high returns. The app is designed to display fake investment gains, tricking users into investing more funds.
Trouble arises when victims try to withdraw their funds, at which point they are asked to pay additional fees to recover their initial investments and supposed profits. In reality, the funds are stolen and redirected into accounts controlled by the attackers.
One innovative tactic used by the malware authors involves embedding configuration details within the app. This includes specifics such as the URL hosting the login page and other features of the so-called trading application.
The configuration data is hosted on a URL linked to a legitimate service called TermsFeed, which provides compliance tools for creating privacy policies, terms and conditions, and cookie consent banners.
“The first application, discovered on the Apple App Store, acts as a downloader, only retrieving and showing a web-app URL,” said Polovinkin. “On the other hand, the second application, downloaded from phishing websites, already contains the web-app within its assets.”
According to Group-IB, this strategy helps the threat actors minimize detection risks and avoid suspicion when distributing the app via the App Store.
The cybersecurity company also uncovered another fake stock investment app on the Google Play Store, called FINANS INSIGHTS (com.finans.insights). Another related app by the same developer, Ueaida Wabi, was named FINANS TRADER6 (com.finans.trader6).
Although both apps are no longer active on the Play Store, data from Sensor Tower reveals that they were downloaded fewer than 5,000 times. Japan, South Korea, and Cambodia were the top countries where FINANS INSIGHTS was available, while Thailand, Japan, and Cyprus were the primary regions for FINANS TRADER6.
Users are advised to exercise caution when clicking on links, avoid responding to unsolicited messages from unknown contacts on social media and dating platforms, review investment platforms for legitimacy, and carefully inspect apps, their developers, ratings, and user reviews before downloading.
“Cybercriminals continue to exploit trusted platforms like the Apple Store and Google Play to distribute malware disguised as legitimate apps, preying on users’ trust in secure ecosystems,” Polovinkin added.
“Victims are lured by promises of easy financial gains, only to discover that they can’t withdraw funds after investing substantial amounts. The use of web-based apps conceals the malicious activity, making it harder to detect.”
Source: TheHackerNews
