Sophos, a global cyber security corporate leader, has identified a stock pile of 167 fake Android and iOS apps. Attackers use these apps to rob people who think they’ve installed a well-known and trustworthy financial trader, banking, or crypto-currency app. A report on the findings, “Fake Android and iOS apps disguised as trade and crypto-currency apps,” shows that attackers have utilized social technology, counterfeit websites, including the fake iOS App Store download page, and an iOS website for testing fabricated apps to distribute unsuspected applications.
In one of the systems examined, scammers brought users together through a dating app, established a profile and exchanged messages with individual targets before trying to lure them to download and add funds and cryptocurrency to a false app. The attackers simply blocked their access when the targets tried to withdraw funds or close the account.
Deception similar to phishing campaigns
In several other circumstances, the attackers designed the websites to look like a trusted company, like a bank, to trap targets. In order to convince the operators to install a truly authentic app store, they even created a false “iOS App Store” download page featuring fake customer reviews. When users clicked on the links, they were given something that looked like a mobile web app to download the wrong app for Android or iOS, but actually was a shortcut icon connected to a fake website.
The attackers also distributed some fake iOS applications through third-party sites, which help iOS developers test new applications with a small number of Apple devices before submitting apps to the official App Store.
What do experts say?
The operators of the fraudulent activity and cryptocurrency scams take advantage of this ruthlessly,” said Jagadeesh Chandraiah, the Senior Threat Researchers at Sophos, “People trust those brands and people they know or think it knows.” “The fake applications we have uncovered are popular and trustworthy financial applications from around the world, while the database is started by an easy exchange of trust-building messages before you get a fake application to configure. The fraud seems very credible with such tactics.
“Users only need to download apps from trusted sources like Google Play and the Apple app store in order to avoid the falling prey to such malicious apps. Developers of popular apps often have a website that directs users to a real app and users should check, if they know how to do it, that their actual developer has created the app they are about to download. Finally, but not least, if something appears to be risky or too good for it to be true – high returns or someone from a dating website asking you to transfer money or assets onto a big account – it is likely to be even worse.”