Pig-butchering scam apps sneak into Apple’s App Store and Google Play

  News
image_pdfimage_print
artist rendition of a piggbank with an Apple App Store logo on it about to explode
Aurich Lawson | Getty Images

In the past year, a new term has arisen to describe an online scam raking in millions, if not billions, of dollars per year. It’s called “pig butchering,” and now even Apple is getting fooled into participating.

Researchers from security firm Sophos said on Wednesday that they uncovered two apps available in the App Store that were part of an elaborate network of tools used to dupe people into putting large sums of money into fake investment scams. At least one of those apps also made it into Google Play, but that market is notorious for the number of malicious apps that bypass Google vetting. Sophos said this was the first time it had seen such apps in the App Store and that a previous app identified in these types of scams was a legitimate one that was later exploited by bad actors.

Pig butchering relies on a rich combination of apps, websites, web hosts, and humans—in some cases human trafficking victims—to build trust with a mark over a period of weeks or months, often under the guise of a romantic interest, financial adviser, or successful investor. Eventually, the online discussion will turn to investments, usually involving cryptocurrency, that the scammer claims to have earned huge sums of money from. The scammer then invites the victim to participate.

Once a mark deposits money, the scammers will initially allow them to make withdrawals. The scammers eventually lock the account and claim they need a deposit of as much as 20 percent of their balance to get it back. Even when the deposit is paid, the money isn’t returned, and the scammers invent new reasons the victim should send more money. The pig-butchering term derives from a farmer fattening up a hog months before it’s butchered.

Abusing trust in the App Store

Sophos said that it recently found two iOS listings in the App Store that were used for CryptoRom, a type of pig butchering that uses romantic overtures to build the confidence of its victims. The first was called Ace Pro and claimed to be an app for scanning QR codes.

Ace Pro, as it appeared in the App Store before being removed.
Enlarge / Ace Pro, as it appeared in the App Store before being removed.

The second app was MBM_BitScan, which billed itself as a real-time data tracker for cryptocurrencies. One victim Sophos tracked dumped about $4,000 into the app before realizing it was fake.

MBM-BitScan as it appeared in the App Store before being removed.
Enlarge / MBM-BitScan as it appeared in the App Store before being removed.

Apple is famous for its reputation—warranted or otherwise—for filtering out malicious apps before they end up in the App Store. Combined with detailed fake online profiles and elaborate backstories the scammers use to lure victims, the presence of the apps in the App Store made the ruse all the more convincing.

“If criminals can get past these checks, they have the potential to reach millions of devices,” Sophos researchers wrote. “This is what makes it more dangerous for CryptoRom victims, as most of those targets are more likely to trust the source if it comes from the official Apple App Store.”

Apple representatives didn’t respond to an email requesting an interview for this story. In a statement, which the representative provided on condition it be on background, the company said that one of the apps submitted provided QR scanning and the other cryptocurrency tracking. Once the bait-and-switch came to light, Apple removed them. The representative also cited a recent study that found the App Store stopped nearly $1.5 billion in fraudulent transactions in 2021 and prevented more than 1.6 million risky and untrustworthy apps and app updates from defrauding users that year. 

Google PR also declined an interview but said in an email the company removed the app after receiving a heads-up from Sophos.

Ace Pro and MBM_BitScan circumvented Apple’s vetting process by using remote content downloaded from hardcoded web addresses to deliver their malicious functionality. When Apple was reviewing the apps, the sites likely delivered benign content. Eventually, that changed.

Ace Pro, for instance, started sending a request to the domain rest.apizza[.]net, which would then respond with content from acedealex[.]xyz, which would deliver the fake trading interface. MBN_BitScan reached out to a server hosted by Amazon, which in turn beckoned flyerbit8[.]com, a domain designed to look like the legitimate Bitcoin service bitFlyer.

The process looked something like this:

Diagram showing how app submissions bypassed vetting.
Enlarge / Diagram showing how app submissions bypassed vetting.

The fake interface gave the appearance of allowing users to deposit and withdraw money and field customer service requests in real time. To get the victims started, the scammers instructed them to transfer money into the Binance exchange and, from there, from Binance to the fake app.

Fake trading interface provided by Ace Pro.
Enlarge / Fake trading interface provided by Ace Pro.

Fake trading interface provided by MBM_BitScan.
Fake trading interface provided by MBM_BitScan.

https://arstechnica.com/?p=1913889