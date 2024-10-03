A concerning large-scale fraud campaign has emerged, leveraging fake trading apps available on the Apple App Store and Google Play Store, as well as phishing websites, to defraud unsuspecting victims. This scheme, investigated by Group-IB, is part of a broader consumer investment fraud initiative commonly known as “pig butchering.” In this type of scam, potential victims are lured into making investments in cryptocurrency or other financial instruments. They are often under the guise of a romantic relationship or advice from an investment consultant.

The manipulative tactics employed in these schemes typically lead to significant financial losses for victims. Not only do the fraudsters convince victims to invest their funds, but they may also demand additional payments for various fees under false pretences. Group-IB, a cybersecurity firm based in Singapore, reported that this campaign has a global reach, with victims identified across the Asia-Pacific, Europe, the Middle East, and Africa.

The fraudulent apps, known as UniShadowTrade, were created using the UniApp Framework and have been active since at least mid-2023. They promise quick financial gains to entice potential investors. Alarmingly, one of the apps managed to pass through Apple’s App Store review process, granting it an air of legitimacy that further misled users.

Rising Threat: Fake Trading Apps Target Victims Worldwide

One notable app, SBI-INT, which is no longer available for download, falsely claimed to be a tool for “commonly used algebraic mathematical formulas and 3D graphics volume area calculation.” Investigators believe that the fraudsters employed a specific check in the app’s source code to evade detection by Apple’s review system. The check assessed whether the current date and time were earlier than July 22, 2024. If so, it displayed a fake screen filled with mathematical formulas and graphics.

After the app was removed from the App Store, the perpetrators shifted to distributing the application through phishing websites for both Android and iOS platforms. For iOS users, clicking the download button would trigger the download of a .plist file, prompting a request for permission to install the application. However, the app could not be launched immediately. Victims were instructed to manually trust the Enterprise developer profile, enabling the fraudulent application.

Once installed, the app greeted users with a login page requiring personal information, including their phone number and password. Registration necessitated an invitation code, suggesting that the attackers were targeting specific individuals. Following successful registration, victims underwent a six-step attack process. They were compelled to submit identification documents, personal details, and current employment information before agreeing to the terms and conditions necessary for making investments.

Once victims deposited funds, the cybercriminals provided further instructions on which financial instruments to invest in, often guaranteeing substantial returns. To maintain the illusion of profitability, the app displayed inflated investment gains. However, trouble arose when victims sought to withdraw their funds. They were met with demands for additional fees to recover their supposed principal investments and profits. In reality, the funds were diverted to accounts controlled by the attackers.

A novel tactic employed involved embedding configuration information detailing the URL hosting the login page and other components of the fake trading application. This information was hosted on a legitimate service called TermsFeed. It offers compliance software for generating privacy policies and terms of service.

Group IB noted that the first discovered application served merely as a downloader, fetching and displaying a web app URL. In contrast, the second app, found on phishing sites, contained the web-app within its assets. This strategic approach aims to minimize detection risks and avoid raising suspicions during the app distribution process.

The cybersecurity firm also identified a fake stock investment app on the Google Play Store named FINANS INSIGHTS (com.finans.insights). Another app linked to the same developer, Ueaida Wabi, is FINANS TRADER6 (com.finans.trader). Both apps are currently inactive in the Play Store. However, data from Sensor Tower indicated that they were downloaded fewer than 5,000 times. Notably, Japan, South Korea, and Cambodia were the top three countries targeted by FINANS INSIGHTS. While FINANS TRADER6 primarily affected users in Thailand, Japan, and Cyprus.

To protect themselves from such scams, users are advised to exercise caution when clicking on links. They should refrain from responding to unsolicited messages on social media or dating apps. Users should also verify the legitimacy of investment platforms. They should carefully review apps and their publishers, ratings, and user reviews before downloading.

As these fraudulent campaigns continue to evolve, it is crucial for users to stay vigilant and informed about potential threats in the digital landscape.