Researchers on Wednesday reported that they found 167 counterfeit Android and iOS apps that attackers used to steal money from victims who believed they installed a financial trading, banking or cryptocurrency app from a trusted provider.
In a blog, Sophos researchers explain how the attackers – which the researchers believe could all be operated by the same group – used social engineering, counterfeit websites, including a fake iOS App Store download page, and an iOS app-testing website to distribute the fake apps to their victims.
According to the researchers, the scammers approached users through a dating app, setting up a profile and exchanging messages with individual target victims before luring them into installing and adding money and cryptocurrency to one of the fake apps. If targets later tried to withdraw funds or close the account, the attackers would block access.
In other cases, victims were caught through websites designed to resemble that of trusted brands. For example, the operators even created a fake “iOS App Store” download page that featured phony customer reviews to convince victims they had installed an app from the real App Store. If people clicked on the links to download the fake apps for either Android or iOS, they received an app that looked like a mobile web app, but was actually a short-cut icon that linked to a fake website.
The app stores – the trustworthiness of which remains more perception than reality – need to go beyond blocking known-bad content, said Ted Driggs, head of product at ExtraHop. Driggs said both sites and apps should have to build reputation through legitimate usage, and share reputation data (preferably in machine-readable format) with the broader security community.
“Platform providers such as Apple and Google already do this on web browsers with the safe-browsing API, but the industry should extend it to include apps as well,” Driggs said. “And app stores should build reputation and trustworthiness into the rankings of apps, rather than just basing those rankings on popularity. The web should never become a walled garden, but that doesn’t mean users need to be left completely defenseless against these attackers.”
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, said employees continue to fall for these scams because the notices are so authentic looking and it’s difficult to tell the difference from the real app. Carson said companies need better cyber hygiene via educating employees on ways to detect these scams.
“Make sure passwords are not the company’s only security control,” Carson said. “One way criminals will steal an identity is by taking over accounts. Do not make it easy for them. Use strong access controls to protect the most important accounts using a password manager and multifactor authentication. Also, limit what personal information the company makes available on the public internet, the more details available, the easier it is for criminals to reuse and duplicate identities.