Fraudsters beat App Store vetting by swapping out app data

Posted:
in iOS
Con artists involved in a so-called "pig butchering" scam sneaked apps into Apple's App Store and Google Play Store by temporarily presenting innocuous functionality.




The App Store includes an option for users to report fraud with apps, and in 2022, Apple said it had blocked 1.6 million "problematic apps" away from users. But a new report from security firm Sophos says that at least two apps involved in fraud got by the App Store's review team.

One was called Ace Pro, and was purportedly for scanning QR codes, while the other was presented as a real-time data tracker for cryptocurrencies, called MBM_BitScan. "One victim lost around $4000 to this fake application," says Sophos.

Apps commonly access data from websites to present to users, and in the case of these two it's believed they temporarily accessed legitimate-looking, functioning sites. As the apps went through review, they each appeared to be doing exactly what they claimed to be.

Once the apps were approved and on the App Store, though, the destination websites were seemingly changed.

"In the case of the Ace Pro app, the malicious developers inserted code related to QR checking and other iOS app library code in the app to make it appear legitimate to reviewers," says Sophos. "But when the app is launched, it sends a request to an Asian-registered domain (rest[.]apizza[.]net), which responds with content from another host (acedealex[.]xyz/wap)."

"It is this response that delivers the fake CryptoRom trading interface," continues Sophos. "It is likely that the criminals used a legitimate-looking site for responses at the time of the app review, switching to the CryptoRom URL later."

What both apps then presented to users was a crypto trading service which had "a working-but-fake trading interface with the purported ability to deposit and withdraw currency." Any monies deposited through the app goes to the con team, not "rather than an actual trading account."

The "pig butchering" scam

"Pig butchering," also known as CryptoRom, is a long con fraud that involves ensnaring victims via social engineering and online dating applications. Victims are approached via online dating, then encouraged to move the conversation over to WhatsApp.

Ultimately, the date uses "highly developed profiles and backstories" to "lure the victims into trusting the guidance provided by the criminals." The fraudsters then lead the victims to the apps, saying they have already invested themselves.

In this case, the very presence of the apps on the App Store and Google Play Store helps make them seem legitimate. Apple has removed both apps after being notified by Sophos, and Google Play has removed the one app found on its store.

This is not the first time that apps have been used to scam users, but previously most have been what's called "fleeceware." They are apps that have free trials, but then automatically charge high recurring subscriptions until actively stopped.

Read on AppleInsider

Comments

  • Reply 1 of 17
    mike1mike1 Posts: 3,275member
    Can you imagine how bad it would get with third-party app stores and side loading?!
    racerhomie3lolliverfred1watto_cobrajony0Alex1N
  • Reply 2 of 17
    neoncatneoncat Posts: 145member
    mike1 said:
    Can you imagine how bad it would get with third-party app stores and side loading?!
    Gosh, it's all just so dangerous, maybe we shouldn't have app stores at all? 

    I never knew there were so many people absolutely unable to cope with even the slightest amount of risk until Apple's App Store conceit drove them all out of their safe spaces. At this point, I don't even care about alternate app stores. I rarely buy apps anyway. But the schadenfreude (childish as it may be, I admit) is almost too much to resist. 
    edited February 2023 muthuk_vanalingambeowulfschmidtdarkvaderFileMakerFellerwatto_cobraAlex1N
  • Reply 3 of 17
    "In this case, the very presence of the apps on the App Store and Google Play Store helps make them seem legitimate."
    ... to people who are new to the App Store and Google Play Store.

    edited February 2023 watto_cobraAlex1N
  • Reply 4 of 17
    avon b7avon b7 Posts: 7,624member
    mike1 said:
    Can you imagine how bad it would get with third-party app stores and side loading?!
    I use a few and have never had a problem. I can imagine stores that are even more 'secure' than Apple’s.  Of course that assumes no store can be fully future-proofed to thwart every single eventuality. 

    Are AppStore apps not subjected to continous appraisal once they get through the door? 

    If the app store itself is approved with the relevant security certifications in hand, I wouldn't even call it sideloading. 
    gatorguyAlex1N
  • Reply 5 of 17
    neoncat said: I never knew there were so many people absolutely unable to cope with even the slightest amount of risk until Apple's App Store conceit drove them all out of their safe spaces. At this point, I don't even care about alternate app stores. I rarely buy apps anyway. But the schadenfreude (childish as it may be, I admit) is almost too much to resist. 
    If third party stores on mobile were a consumer paradise then Apple would have made the move to them in iOS without being forced because Android would have been the big winner for app sales and profits. Buuuuuuuuuuut....it didn't work out that way did it? That's why forcing third party stores is a foolish proposition. Android didn't win by being "open" while iOS was "closed" despite that being their primary marketing approach back in the day. If anything, Android moved towards being more "closed" because that's what consumers seemed to want the most when it came to buying apps.
    edited February 2023 lolliverFileMakerFellerwatto_cobrajony0freeassociate2Alex1N
  • Reply 6 of 17
    danoxdanox Posts: 2,804member
    JP234 said:
    Sensational as these stories are, they're nothing new.
    For instance, there have always been investing scams. There have always been gambling scams. There have always been grifters preying on lonelyhearts. There have always been pyramid and Ponzi schemes (well, since Ponzi's). There are food scams, like supermarkets and restaurants mislabeling cheap fish as more expensive species. Tax prep scams. Real estate scams. Health scams (big one).

    None of them, or most other scams, originated in the digital era. Your best protection against analog or digital scams is vigilance, education and common sense. If it seems too good to be true, it is.
    Apple doesn’t except porn apps why are they still excepting bitcoin or crypto currency type apps? or anything else close to it. Just say no and let the mark, type it in on a browser.
    watto_cobraAlex1N
  • Reply 7 of 17
    sflocalsflocal Posts: 6,092member
    neoncat said:
    mike1 said:
    Can you imagine how bad it would get with third-party app stores and side loading?!
    Gosh, it's all just so dangerous, maybe we shouldn't have app stores at all? 

    I never knew there were so many people absolutely unable to cope with even the slightest amount of risk until Apple's App Store conceit drove them all out of their safe spaces. At this point, I don't even care about alternate app stores. I rarely buy apps anyway. But the schadenfreude (childish as it may be, I admit) is almost too much to resist. 
    Quit the drama.  It's a valid concern.  That you dismiss it just shows your ignorance.
    lolliverwatto_cobrajony0freeassociate2
  • Reply 8 of 17
    DAalsethDAalseth Posts: 2,783member
    danox said:
    JP234 said:
    Sensational as these stories are, they're nothing new.
    For instance, there have always been investing scams. There have always been gambling scams. There have always been grifters preying on lonelyhearts. There have always been pyramid and Ponzi schemes (well, since Ponzi's). There are food scams, like supermarkets and restaurants mislabeling cheap fish as more expensive species. Tax prep scams. Real estate scams. Health scams (big one).

    None of them, or most other scams, originated in the digital era. Your best protection against analog or digital scams is vigilance, education and common sense. If it seems too good to be true, it is.
    Apple doesn’t except porn apps why are they still excepting bitcoin or crypto currency type apps? or anything else close to it. Just say no and let the mark, type it in on a browser.
    That was my immediate thought. If it involves Crypto, assume it’s a scam. They shouldn’t be in the store anyway. 
    FileMakerFellergatorguywatto_cobrajony0Alex1N
  • Reply 9 of 17
    darkvaderdarkvader Posts: 1,146member
    mike1 said:
    Can you imagine how bad it would get with third-party app stores and side loading?!
    And there's the stupidity, right in the first comment.  Figures.

    It will be NO WORSE, because Apple's process doesn't stop bad apps.

    In fact, it'll be better, because users won't automatically assume every app is safe because Apple "approved" it.
  • Reply 10 of 17
    DAalsethDAalseth Posts: 2,783member
    Not really sure what Apple could do about this though other than block it after the fact. The site was legit when the app was vetted. The target was changed on their end not on the phone or in the app. 

    darkvader said:
    mike1 said:
    Can you imagine how bad it would get with third-party app stores and side loading?!
    And there's the stupidity, right in the first comment.  Figures.

    It will be NO WORSE, because Apple's process doesn't stop bad apps.

    In fact, it'll be better, because users won't automatically assume every app is safe because Apple "approved" it.
    Actually Apple’s process stops the vast, overwhelming majority, of the bad apps. That a few get through is news BECAUSE it’s comparatively rare. Open them up to anyone who wants to put up an “AppStore” and then that overwhelming majority of malware apps WILL get through.
    edited February 2023 lolliverFileMakerFellerjony0Alex1N
  • Reply 11 of 17
    I have been targeted by a pig butchering scam in South Asia. It was done through Messenger. A very attractive lady ,approached me & tried to make me a long term investor in her firm. If I was a little more naive & had less experience with women, I might have done something extremely stupid. It’s not so black & white as blocking an app. I am sure though if the App Store didn’t have such strict standards much more of these scams could have gone through
    watto_cobraAlex1N
  • Reply 12 of 17
    When apps are merely shells wrapped around websites to show content and layout, they are not much different than just going to that website vs using the app.  

    Unless Apple changes the rules and says all layout and functionality must be contained WITHIN the app, this will be impossible to stop, as websites are not under the control of Apple.  Anyone at any time could take a seemingly harmless website and turn it into an evil monster that intends to do you harm.
    DAalsethlolliverwatto_cobraAlex1N
  • Reply 13 of 17
    DAalsethDAalseth Posts: 2,783member
    brianjo said:
    When apps are merely shells wrapped around websites to show content and layout, they are not much different than just going to that website vs using the app.  

    Unless Apple changes the rules and says all layout and functionality must be contained WITHIN the app, this will be impossible to stop, as websites are not under the control of Apple.  Anyone at any time could take a seemingly harmless website and turn it into an evil monster that intends to do you harm.
    Even if the layout and functionality are within the app, the data would come from outside. Any store app would be susceptible to this, Amazon couldn’t put their whole store in the App, the data changes too often. Change the data, and the app would go something different. So I don’t really think even that would help. 
    edited February 2023 muthuk_vanalingamFileMakerFellerwatto_cobraAlex1N
  • Reply 14 of 17
    sflocalsflocal Posts: 6,092member
    As a developer myself, I'm embarrassed to be associated with entitled, whiney adult-children that feel Apple owes them something.  That politicians - most with zero technology experience - are being swayed by these bedwetters is even more disturbing.

    Apple's only loyalty is to its customers.  Apple has provided huge value to us customers and made itself quite successful on the privacy/security front.  Apple pours a crazy amount of money and resources into keeping customers happy, and coming back.  Apple is so successful with the iPhone due to Apple's policy of private and security.

    Developers think Apple should cater to them first.  I disagree.  Apple provides an amazing amount of tools and support to help developers reach success in the App Store, and those resources don't come cheap to Apple.  15-30% fees are NOT outrageous.  Look at other industries to see how they charge.  It's completely in line.  Don't like it, don't develop for it.  

    Forcing Apple to open up its proprietary, closed system to competitors is wrong on every level.
    FileMakerFellerwatto_cobraAlex1N
  • Reply 15 of 17
    avon b7avon b7 Posts: 7,624member
    DAalseth said:
    Not really sure what Apple could do about this though other than block it after the fact. The site was legit when the app was vetted. The target was changed on their end not on the phone or in the app. 

    darkvader said:
    mike1 said:
    Can you imagine how bad it would get with third-party app stores and side loading?!
    And there's the stupidity, right in the first comment.  Figures.

    It will be NO WORSE, because Apple's process doesn't stop bad apps.

    In fact, it'll be better, because users won't automatically assume every app is safe because Apple "approved" it.
    Actually Apple’s process stops the vast, overwhelming majority, of the bad apps. That a few get through is news BECAUSE it’s comparatively rare. Open them up to anyone who wants to put up an “AppStore” and then that overwhelming majority of malware apps WILL get through.
    The Huawei AppGallery has some of the highest security certifications available and even more when tied to HarmonyOS but bad stuff still gets through the net. As you say, nothing can be fail-safe if it's connecting to the internet but I thought Apple was using similar processes to AppGallery:

    Individual developers are ID verified.

    All apps are run through an interconnected database of virus/Trojan/malware... signatures

    Apps are scanned for appropriate use of system APIs

    Apps are scanned for abusive permissions requests. 

    AI is used to analyse the 'behaviour' of the app.

    Of course there is a manual 'human verified' stage. 

    After approval, apps are periodically re-scanned in search of changes that take them away from their original approval metrics.

    Although complete protection may be an impossible goal, AI is definitely part of the solution, especially as bad actors are already using it to attack just about anything and anyone. 

    Alex1N
  • Reply 16 of 17
    avon b7 said:
    DAalseth said:
    Not really sure what Apple could do about this though other than block it after the fact. The site was legit when the app was vetted. The target was changed on their end not on the phone or in the app. 

    darkvader said:
    mike1 said:
    Can you imagine how bad it would get with third-party app stores and side loading?!
    And there's the stupidity, right in the first comment.  Figures.

    It will be NO WORSE, because Apple's process doesn't stop bad apps.

    In fact, it'll be better, because users won't automatically assume every app is safe because Apple "approved" it.
    Actually Apple’s process stops the vast, overwhelming majority, of the bad apps. That a few get through is news BECAUSE it’s comparatively rare. Open them up to anyone who wants to put up an “AppStore” and then that overwhelming majority of malware apps WILL get through.
    The Huawei AppGallery has some of the highest security certifications available and even more when tied to HarmonyOS but bad stuff still gets through the net. As you say, nothing can be fail-safe if it's connecting to the internet but I thought Apple was using similar processes to AppGallery:

    Individual developers are ID verified.

    All apps are run through an interconnected database of virus/Trojan/malware... signatures

    Apps are scanned for appropriate use of system APIs

    Apps are scanned for abusive permissions requests. 

    AI is used to analyse the 'behaviour' of the app.

    Of course there is a manual 'human verified' stage. 

    After approval, apps are periodically re-scanned in search of changes that take them away from their original approval metrics.

    Although complete protection may be an impossible goal, AI is definitely part of the solution, especially as bad actors are already using it to attack just about anything and anyone. 

    The process used by these scammers is the same one used by Epic with Fortnite: part of the app content comes from an external server and as long as that content is not executable code it is allowable by the review process. This is by design and is a pretty good compromise for allowing app changes without needing an additional review, but as we see it has its flaws. At an abstract level it's similar to an exploit on the web known as "cross-site scripting" (XSS) which pulls the resources for a web page from multiple sources (a design approach that lets you cache content with a third party such as a content delivery network) but injects malicious javascript code to do anything that the browser sandbox allows.

    The trade-off for blocking that particular hole is too high, so more sophisticated detection processes are required at run-time. But that degrades performance of the device, so...
    watto_cobraAlex1N
Sign In or Register to comment.