Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
Group-IB reveals a deception scheme that fraudsters have been successfully using since last year.
A global fraud campaign using fake retail apps published on the Apple App Store and Google Play was recently uncovered by researchers from Group-IB. These apps and phishing sites have been used to trick victims into stealing their funds.
The scam is associated with the Pig Butchering scheme, in which attackers slowly gain the trust of victims through virtual communication - both romantic and under the guise of investment advice. They then convince victims to invest in cryptocurrency or financial instruments. Often such frauds lead to the loss of investments, and sometimes to additional payments from the victims under various pretexts.
The fraudulent operation identified by Group-IB was called UniShadowTrade, and it has been underway since mid-2023. Using applications built on top of the UniApp Framework, the attackers reached victims around the world, including the Asia-Pacific region, Europe, the Middle East, and Africa. One of the apps even bypassed Apple's verification system, which increased its credibility in the eyes of users.
The SBI-INT app, which has now been removed from the App Store, disguised itself as a program for mathematical calculations and graphs, when in fact it used time and date checking to hide the true purpose up to a certain point. After being removed from the official store, the attackers switched to distributing this program through phishing sites.
To download the fake app on iOS, victims were asked to install a file with the ".plist" extension and manually grant permission to the developer's profile. After these steps, the app became fully functional, asking for a phone and password to log in. The registration process involved the use of an invitation code, which indicates an attempt at targeted deception.
The entire process consists of six steps, including identity verification, provision of personal data, and job details. Victims are then asked to agree to the terms and conditions of the service in order to make the investment. After making a deposit, the attackers "recommend" investing in certain financial instruments, promising high returns, and the application shows an increase in investments to keep victims in the scheme.
Still, as sweet as the scammers' offers sound, attempts to withdraw funds from the app are blocked, and victims are told to pay additional fees to "recover" the initial investment. In fact, the funds are stolen and sent to the accounts of criminals.
Cyber crooks also use tactics to hide their activities through a built-in configuration that identifies the URL where the login page is hosted. This approach makes it difficult to detect and analyze fraudulent activity.
During the analysis of the malicious campaign, Group-IB experts managed to identify fraudulent applications FINANS INSIGHTS and FINANS TRADER6 on the Google Play platform. These Android apps were available for download in Japan, South Korea, Cambodia, Thailand, and Cyprus, but have now been removed. Statistically, they have been downloaded less than 5000 times.
Experts advise to be careful when clicking on unknown links, avoid communicating with strangers on social networks and dating sites, and carefully check investment platforms and applications before downloading them, including checking user ratings and reviews.
Source
A global fraud campaign using fake retail apps published on the Apple App Store and Google Play was recently uncovered by researchers from Group-IB. These apps and phishing sites have been used to trick victims into stealing their funds.
The scam is associated with the Pig Butchering scheme, in which attackers slowly gain the trust of victims through virtual communication - both romantic and under the guise of investment advice. They then convince victims to invest in cryptocurrency or financial instruments. Often such frauds lead to the loss of investments, and sometimes to additional payments from the victims under various pretexts.
The fraudulent operation identified by Group-IB was called UniShadowTrade, and it has been underway since mid-2023. Using applications built on top of the UniApp Framework, the attackers reached victims around the world, including the Asia-Pacific region, Europe, the Middle East, and Africa. One of the apps even bypassed Apple's verification system, which increased its credibility in the eyes of users.
The SBI-INT app, which has now been removed from the App Store, disguised itself as a program for mathematical calculations and graphs, when in fact it used time and date checking to hide the true purpose up to a certain point. After being removed from the official store, the attackers switched to distributing this program through phishing sites.
To download the fake app on iOS, victims were asked to install a file with the ".plist" extension and manually grant permission to the developer's profile. After these steps, the app became fully functional, asking for a phone and password to log in. The registration process involved the use of an invitation code, which indicates an attempt at targeted deception.
The entire process consists of six steps, including identity verification, provision of personal data, and job details. Victims are then asked to agree to the terms and conditions of the service in order to make the investment. After making a deposit, the attackers "recommend" investing in certain financial instruments, promising high returns, and the application shows an increase in investments to keep victims in the scheme.
Still, as sweet as the scammers' offers sound, attempts to withdraw funds from the app are blocked, and victims are told to pay additional fees to "recover" the initial investment. In fact, the funds are stolen and sent to the accounts of criminals.
Cyber crooks also use tactics to hide their activities through a built-in configuration that identifies the URL where the login page is hosted. This approach makes it difficult to detect and analyze fraudulent activity.
During the analysis of the malicious campaign, Group-IB experts managed to identify fraudulent applications FINANS INSIGHTS and FINANS TRADER6 on the Google Play platform. These Android apps were available for download in Japan, South Korea, Cambodia, Thailand, and Cyprus, but have now been removed. Statistically, they have been downloaded less than 5000 times.
Experts advise to be careful when clicking on unknown links, avoid communicating with strangers on social networks and dating sites, and carefully check investment platforms and applications before downloading them, including checking user ratings and reviews.
Source
