A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims, per findings from Group-IB.

The campaign is part of a consumer investment fraud scheme that’s also widely known as pig butchering, in which prospective victims are lured into making investments in cryptocurrency or other financial instruments after gaining their trust under the guise of a romantic relationship or an investment advisor.

Such manipulative and social engineering operations often end with the victims losing their funds, and in some cases, extracting even more money from them by requesting various fees and other payments.

The Singapore-headquartered company said the campaign has a global reach, with victims reported across Asia-Pacific, European, Middle East and Africa. The bogus apps, built using the UniApp Framework, have been classified under the moniker UniShadowTrade.

The activity cluster is said to have been active since at least mid-2023, luring victims with malicious apps with the promise of quick financial gain. A noteworthy aspect of the threat is that one of the apps managed to even get past Apple’s App Store review process, thus lending it an illusion of legitimacy and trust.

The app in question, SBI-INT, is no longer available for download from the app marketplace, but it masqueraded as software for “commonly used algebraic mathematical formulas and 3D graphics volume area calculation.”

It’s believed that the cybercriminals accomplished this by means of a check that included the app’s source code that checked if the current date and time is earlier than July 22, 2024, 00:00:00, and if so, launched a fake screen with formulae and graphics.

But once it was taken down weeks after it was published, the threat actors behind the operation are said to have pivoted to distributing the app, for both Android and iOS, via phishing websites.

“For iOS users, pressing the download button triggers the download of a .plist file, prompting iOS to ask for permission to install the application,” Group-IB researcher Andrey Polovinkin said.

“However, after the download is complete, the application cannot be launched immediately. The victim is then instructed by the cybercriminals to manually trust the Enterprise developer profile. Once this step is completed, the fraudulent application becomes operational.”

Users who end up installing the app and opening it are greeted with a login page, requiring users to provide their phone number and password. The registration process involves entering an invitation code in the app, suggesting that the attackers are targeting specific individuals to pull off the scam.

A successful registration triggers a six-step attack process wherein the victims are urged to provide identity documents as proof, personal information, and current job details, after which they are asked to agree to the service’s terms and conditions in order to make the investments.

Once the deposit has been made, the cybercriminals send further instructions on which financial instrument to invest in and often guarantee that they will yield high returns, thereby deceiving users into investing more and more money. To maintain the ruse, the app is rigged to display their investments as making gains.

Trouble starts when the victim attempts to withdraw the funds, at which point they are asked to pay additional fees to recover their principal investments and purported gains. In reality, the funds are stolen and diverted to accounts under the attackers’ control.

Another novel tactic adopted by the malware authors is the use of an embedded configuration that includes specifics about the URL that hosts the login page and other aspects of the purported trading application launched within the app.

This configuration information is hosted in a URL associated with a legitimate service called TermsFeed that offers compliance software for generating privacy policies, terms and conditions, and cookie consent banners.

“The first discovered application, distributed through the Apple App Store, functions as a downloader, merely retrieving and displaying a web-app URL,” Polovinkin said. “In contrast, the second application, downloaded from phishing websites, already contains the web-app within its assets.”

This, per Group-IB, is a deliberate approach taken by the threat actors to minimize the chances of detection and avoid raising red flags when the app is distributed through the App Store.

Furthermore, the cybersecurity firm said it also discovered one of the fake stock investment scam apps on the Google Play Store that went by the name FINANS INSIGHTS (com.finans.insights). Another app linked to the same developer, Ueaida Wabi, is FINANS TRADER6 (com.finans.trader)

While both Android apps are not present in the Play Store, statistics from Sensor Tower show that they were downloaded less than 5,000 times. Japan, South Korea, and Cambodia were the top three countries served by FINANS INSIGHTS, whereas Thailand, Japan, and Cyprus were the primary regions where FINANS TRADER6 was available.

“Cybercriminals continue to use trusted platforms such as the Apple Store or Google Play to distribute malware disguised as legitimate applications, exploiting users’ trust in secure ecosystems,” Polovinkin said.

“Victims are lured in with the promise of easy financial gains, only to find that they are unable to withdraw funds after making significant investments. The use of web-based applications further conceals the malicious activity and makes detection more difficult.”