Cyberthugs from Tinder lure gullible men into a cruel financial trap.
The creators of a highly profitable investment scam called “The Pig-Butchering Scum” have found a way to bypass the protection of the Google Play and Apple App Stores.
Pig butchering scam has been going on for years. Attackers use fake websites, malicious ads, and social engineering. And by downloading fraudulent applications to official stores, it is even easier for them to gain the trust of the victim.
Researchers at cybersecurity firm Sophos say cybercriminals are targeting victims on popular social media. They convince them to download fraudulent apps and "invest" large sums of money in assets that they say are real. Basically, scammers fool men using fake Facebook and Tinder profiles for women.
ShaZhuPan is a hacker group from China that is running this scam campaign. She demonstrates a very high level of organization. Separate teams in it are engaged in interaction with victims, separate teams deal with finance, franchising and money laundering.
Scam-controlled profiles are created with luxury lifestyle in mind, with photos of expensive restaurants, shops and exotic places. Apparently, this is how attackers attract wealthy men.
After gaining the victim's trust, the scammers say they have a relative who works for a financial analysis firm. They convince that you can make good money on this, and invite the victim to trade cryptocurrency through an application from the Play Store or App Store.
The scammers instruct the victim how to create an account on the Binance cryptocurrency exchange platform, fund the balance, and then transfer the invested amount to a fake app.
The malicious apps used in the campaign observed by Sophos are called "Ace Pro" and "MBM_BitScan" in the Apple App Store, and "BitScan" in the Play Store.
At first, these applications allow the victim to withdraw small amounts of cryptocurrency, but then block their accounts when the amounts become larger. The initial withdrawal of funds is usually enough for the victims to trust the scheme and keep investing.
The method used to bypass security checks in mobile app stores is quite simple. In order to infiltrate the App Store, the ShaZhuPan gang submits an app signed with a valid certificate issued by Apple, which is the main requirement for any code to be accepted into the iOS repository. At first, the application connects to a secure server and its behavior is not suspicious. But after passing the check, the developer changes the domain, and the application connects to the malicious server.
After launching the application, the victim sees a cryptocurrency trading interface delivered from a malicious server. However, all displayed information is fake, except for the user's account.
Sophos researchers found that the Android and iOS BitScan apps have different vendor names but communicate with the same control server, which appears to be impersonating bitFlyer, a legitimate cryptocurrency exchange company in Japan.
Because these apps are only downloaded by a small number of targeted users, they are not reported as mass scams, increasing the time it takes for them to be identified and removed from the store.
Butchering a pig scam generates high profits in a short time, so scammers are motivated to spend a lot of time and effort to gain the trust of their victims through long-term communication.
Such lengthy interactions, initial withdrawals, and the convincing interface of fake apps make it difficult to understand the very fact of a scam.
Sophos also notes that the emergence and popularization of the fintech industry has further strengthened people's trust in such software tools. And when apps are downloaded from the official Apple and Google stores, victims have little to no doubt about their legitimacy and safety.