The dark world of “pig butchering” investment scams has found a new frontier – the official app stores of Google and Apple. These high-yielding scams have been using fake websites, advertisements, and social engineering schemes to trick victims into downloading fraudulent apps and investing large amounts of money into fake assets.
Cybersecurity firm Sophos has uncovered a campaign by China-based threat group “ShaZhuPan,” which appears to be highly organized with various teams handling victim interaction, finance, franchise, and money laundering. The group is said to be targeting male users over Facebook and Tinder using fake profiles of women, laden with images of a lavish lifestyle, to win over the victims’ trust.
The malicious apps, which are named “Ace Pro” and “MBM_BitScan” on the Apple App Store and “BitScan” on the Google Play Store, initially allow victims to withdraw small amounts of cryptocurrency, building trust in the scheme. But once larger amounts are in the equation, the accounts are locked, and the victims are left with nothing.
The method used by the ShaZhuPan gang to bypass the app store security checks is as follows – they submit an app signed with a valid certificate issued by Apple or Google, which is the most important requirement for getting into the app stores. Once the app is approved, the developer changes the domain to a malicious server, and the victim is presented with a fake cryptocurrency trading interface.
The BitScan apps for Android and iOS have different vendor names but communicate with the same command and control server, which appears to impersonate a legitimate cryptocurrency exchange company in Japan. Since these apps are only downloaded by a small number of targeted users, they are not widely reported, making it difficult for app store security reviewers to identify and remove them.
Sophos highlights that the rise of “FinTech” has normalized people’s trust in software tools, and when the apps are sourced from official Apple and Google stores, the sense of legitimacy is even higher. The best way to protect yourself is to research the app before downloading, check reviews from other users, read the privacy policy, and verify the developer/publisher details and the company information.
RELATED:
- OSOM OV1 renamed to Solana Saga; becomes crypto-focused web3 Android smartphone
- India proposes 30% tax on virtual assets like crypto & NFT
- Google Pay pushing for crypto payments functionality, hires former PayPay exec
(Via)
