Fraudsters beat App Store vetting by swapping out app data
Con artists involved in a so-called "pig butchering" scam sneaked apps into Apple's App Store and Google Play Store by temporarily presenting innocuous functionality.
The App Store includes an option for users to report fraud with apps, and in 2022, Apple said it had blocked 1.6 million "problematic apps" away from users. But a new report from security firm Sophos says that at least two apps involved in fraud got by the App Store's review team.
One was called Ace Pro, and was purportedly for scanning QR codes, while the other was presented as a real-time data tracker for cryptocurrencies, called MBM_BitScan. "One victim lost around $4000 to this fake application," says Sophos.
Apps commonly access data from websites to present to users, and in the case of these two it's believed they temporarily accessed legitimate-looking, functioning sites. As the apps went through review, they each appeared to be doing exactly what they claimed to be.
Once the apps were approved and on the App Store, though, the destination websites were seemingly changed.
"In the case of the Ace Pro app, the malicious developers inserted code related to QR checking and other iOS app library code in the app to make it appear legitimate to reviewers," says Sophos. "But when the app is launched, it sends a request to an Asian-registered domain (rest[.]apizza[.]net), which responds with content from another host (acedealex[.]xyz/wap)."
"It is this response that delivers the fake CryptoRom trading interface," continues Sophos. "It is likely that the criminals used a legitimate-looking site for responses at the time of the app review, switching to the CryptoRom URL later."
What both apps then presented to users was a crypto trading service which had "a working-but-fake trading interface with the purported ability to deposit and withdraw currency." Any monies deposited through the app goes to the con team, not "rather than an actual trading account."
Ultimately, the date uses "highly developed profiles and backstories" to "lure the victims into trusting the guidance provided by the criminals." The fraudsters then lead the victims to the apps, saying they have already invested themselves.
In this case, the very presence of the apps on the App Store and Google Play Store helps make them seem legitimate. Apple has removed both apps after being notified by Sophos, and Google Play has removed the one app found on its store.
This is not the first time that apps have been used to scam users, but previously most have been what's called "fleeceware." They are apps that have free trials, but then automatically charge high recurring subscriptions until actively stopped.
Read on AppleInsider
The App Store includes an option for users to report fraud with apps, and in 2022, Apple said it had blocked 1.6 million "problematic apps" away from users. But a new report from security firm Sophos says that at least two apps involved in fraud got by the App Store's review team.
One was called Ace Pro, and was purportedly for scanning QR codes, while the other was presented as a real-time data tracker for cryptocurrencies, called MBM_BitScan. "One victim lost around $4000 to this fake application," says Sophos.
Apps commonly access data from websites to present to users, and in the case of these two it's believed they temporarily accessed legitimate-looking, functioning sites. As the apps went through review, they each appeared to be doing exactly what they claimed to be.
Once the apps were approved and on the App Store, though, the destination websites were seemingly changed.
"In the case of the Ace Pro app, the malicious developers inserted code related to QR checking and other iOS app library code in the app to make it appear legitimate to reviewers," says Sophos. "But when the app is launched, it sends a request to an Asian-registered domain (rest[.]apizza[.]net), which responds with content from another host (acedealex[.]xyz/wap)."
"It is this response that delivers the fake CryptoRom trading interface," continues Sophos. "It is likely that the criminals used a legitimate-looking site for responses at the time of the app review, switching to the CryptoRom URL later."
What both apps then presented to users was a crypto trading service which had "a working-but-fake trading interface with the purported ability to deposit and withdraw currency." Any monies deposited through the app goes to the con team, not "rather than an actual trading account."
The "pig butchering" scam
"Pig butchering," also known as CryptoRom, is a long con fraud that involves ensnaring victims via social engineering and online dating applications. Victims are approached via online dating, then encouraged to move the conversation over to WhatsApp.Ultimately, the date uses "highly developed profiles and backstories" to "lure the victims into trusting the guidance provided by the criminals." The fraudsters then lead the victims to the apps, saying they have already invested themselves.
In this case, the very presence of the apps on the App Store and Google Play Store helps make them seem legitimate. Apple has removed both apps after being notified by Sophos, and Google Play has removed the one app found on its store.
This is not the first time that apps have been used to scam users, but previously most have been what's called "fleeceware." They are apps that have free trials, but then automatically charge high recurring subscriptions until actively stopped.
Read on AppleInsider
Comments
I never knew there were so many people absolutely unable to cope with even the slightest amount of risk until Apple's App Store conceit drove them all out of their safe spaces. At this point, I don't even care about alternate app stores. I rarely buy apps anyway. But the schadenfreude (childish as it may be, I admit) is almost too much to resist.
Are AppStore apps not subjected to continous appraisal once they get through the door?
If the app store itself is approved with the relevant security certifications in hand, I wouldn't even call it sideloading.
Actually Apple’s process stops the vast, overwhelming majority, of the bad apps. That a few get through is news BECAUSE it’s comparatively rare. Open them up to anyone who wants to put up an “AppStore” and then that overwhelming majority of malware apps WILL get through.
Individual developers are ID verified.
All apps are run through an interconnected database of virus/Trojan/malware... signatures
Apps are scanned for appropriate use of system APIs
Apps are scanned for abusive permissions requests.
AI is used to analyse the 'behaviour' of the app.
Of course there is a manual 'human verified' stage.
After approval, apps are periodically re-scanned in search of changes that take them away from their original approval metrics.
Although complete protection may be an impossible goal, AI is definitely part of the solution, especially as bad actors are already using it to attack just about anything and anyone.
The trade-off for blocking that particular hole is too high, so more sophisticated detection processes are required at run-time. But that degrades performance of the device, so...