Security researchers have uncovered hundreds of malicious Android and iOS apps posing legitimate cryptocurrency, banking, and financial apps. Thanks to social engineering techniques, scammers tricked victims into installing apps to steal both money and credentials.
The bad actors would sign up for dating and other meet apps and befriend a person to get started. The scammers would move the conversation to messaging apps to prevent the dating app from catching on and blocking. And, of course, the Covid-19 Pandemic provided the perfect excuse to never meet in person.
After establishing a relationship and trust, the true scam began with promises of financial gain through cryptocurrency or investment apps. True to scam tactics, the thieves promise guaranteed gains or instilled FOMO by claiming the opportunity would disappear quickly.
The victim would create an account) and hand over money. It’s only when the victim tried to withdraw or transfer money that they’d find out the truth—as the bad actor would lock them out of the account at that point and run off with the cash. And in some cases, by creating a clone of a legitimate banking app, the scammer tricked the victim into providing actual account details.
To get the app installed, hackers use a variety of tricks. On Android, the scammer would point the victim to a webpage designed to look like a cryptocurrency or banking site. The page hosts a download link that looks like it will open the Google Play Store but instead installs a web app. That bypasses both the Google Play Store’s controls and the need to enable third-party store settings.
Installing Apple apps sometimes followed the same method. But in others, the scammers relied on a “Super Signature” process to bypass Apple’s security and app store. You’d typically run into Super Signature apps in a testing scenario or for enterprise deployment. The process essentially makes the victim a developer account similar to how Facebook once installed survey apps without Apple’s approval.
The scammers even went so far as to provide customer support, both on the sites intended to install the malicious app and in the app itself. The security researchers even took time to chat with the “support team” to learn more details about where the money went (Hong Kong) and how the process worked.
For the most part, the researchers at Sophos say these instances target Asian victims, but that doesn’t mean the idea won’t travel elsewhere. For the best security, always go directly to the Play Store or Apple App Store to download apps. And if someone promises “guaranteed money,” maybe back away. Few things, especially cryptocurrency and finances, are so certain in life.