This past spring, researchers from SophosLabs published a report about scammers who used dating sites and apps to trick victims into installing fake cryptocurrency apps on iPhone and Android . According to fresh research, the bad guys have upped their game.
SophosLabs researchers Jagadeesh Chandraiah and Xinran Wu wrote about the latest cases in the SophosLabs Uncut blog, saying that since their first report, they have seen increasing evidence that these fake apps are part of a larger, wide-ranging global scam.
“We have learned of victims in Europe, most of them iPhone users, who have lost thousands of dollars to crooks through these scams. We have also identified more applications tied to the fraud campaign—which, due to its combination of romance scams and cryptocurrency trading fraud, we’ve dubbed CryptoRom.”
The bad actors behind these applications target iOS users via Apple’s ad hoc distribution method, through distribution operations known as “Super Signature services.” As the researchers expanded their search based on user-provided data and additional threat hunting, they also watched as malicious apps on iOS leveraged configuration profiles to compromise Apple’s Enterprise Signature distribution scheme and target victims.
“From news reports, we learned one victim lost £63000 (~ $87000). There are additional news reports in UK of these scams, with one victim losing £35000 (~$45000) to a scammer who contacted them through Facebook, and another who lost £20000($25000) after being scammed by someone who contacted through Grindr. In the latter case, the victim made an initial deposit, transferred money to a Binance application from their bank and then to crooks; they were then asked to deposit more funds in order to withdraw their money. None of these victims have gotten their money back. Though some victims have been Android users, Sophos Labs believes most are iPhone users. Web pages created to distribute these apps have also been mainly mimicking the App Store, suggesting these scammers are targeting iPhone users assuming they are likely to be wealthy. The following image is from one of the recent fraud web pages and the destination for app download resembles the Apple App Store page.”
The researchers urged Apple to warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple.
SophosLabs has shared details of the malicious apps and infrastructure with Apple and are still awaiting a response.
For those looking to mitigate these attacks, SophosLabs has made a full list of IOC’s from the first part of this attack campaign available on its GitHub.