Fraudsters beat App Store vetting by swapping out app data

The App Store includes an option for users to report fraud with apps, and in 2022, Apple said it had blocked 1.6 million "problematic apps" away from users. But a new report from security firm Sophos says that at least two apps involved in fraud got by the App Store's review team.

One was called Ace Pro, and was purportedly for scanning QR codes, while the other was presented as a real-time data tracker for cryptocurrencies, called MBM_BitScan. "One victim lost around $4000 to this fake application," says Sophos.

Apps commonly access data from websites to present to users, and in the case of these two it's believed they temporarily accessed legitimate-looking, functioning sites. As the apps went through review, they each appeared to be doing exactly what they claimed to be.

Once the apps were approved and on the App Store, though, the destination websites were seemingly changed.

"In the case of the Ace Pro app, the malicious developers inserted code related to QR checking and other iOS app library code in the app to make it appear legitimate to reviewers," says Sophos. "But when the app is launched, it sends a request to an Asian-registered domain (rest[.]apizza[.]net), which responds with content from another host (acedealex[.]xyz/wap)."

"It is this response that delivers the fake CryptoRom trading interface," continues Sophos. "It is likely that the criminals used a legitimate-looking site for responses at the time of the app review, switching to the CryptoRom URL later."

What both apps then presented to users was a crypto trading service which had "a working-but-fake trading interface with the purported ability to deposit and withdraw currency." Any monies deposited through the app goes to the con team, not "rather than an actual trading account."

The "pig butchering" scam

"Pig butchering," also known as CryptoRom, is a long con fraud that involves ensnaring victims via social engineering and online dating applications. Victims are approached via online dating, then encouraged to move the conversation over to WhatsApp.

Ultimately, the date uses "highly developed profiles and backstories" to "lure the victims into trusting the guidance provided by the criminals." The fraudsters then lead the victims to the apps, saying they have already invested themselves.

In this case, the very presence of the apps on the App Store and Google Play Store helps make them seem legitimate. Apple has removed both apps after being notified by Sophos, and Google Play has removed the one app found on its store.

This is not the first time that apps have been used to scam users, but previously most have been what's called "fleeceware." They are apps that have free trials, but then automatically charge high recurring subscriptions until actively stopped.