We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

Hundreds of Malicious Mobile Apps Promised Financial Peace and Stole Money

Security researchers have uncovered hundreds of malicious Android and iOS apps posing legitimate cryptocurrency, banking, and financial apps. Thanks to social engineering techniques, scammers tricked victims into installing apps to steal both money and credentials.

The bad actors would sign up for dating and other meet apps and befriend a person to get started. The scammers would move the conversation to messaging apps to prevent the dating app from catching on and blocking. And, of course, the Covid-19 Pandemic provided the perfect excuse to never meet in person.

After establishing a relationship and trust, the true scam began with promises of financial gain through cryptocurrency or investment apps. True to scam tactics, the thieves promise guaranteed gains or instilled FOMO by claiming the opportunity would disappear quickly.

The victim would create an account) and hand over money. It’s only when the victim tried to withdraw or transfer money that they’d find out the truth—as the bad actor would lock them out of the account at that point and run off with the cash. And in some cases, by creating a clone of a legitimate banking app, the scammer tricked the victim into providing actual account details.

To get the app installed, hackers use a variety of tricks. On Android, the scammer would point the victim to a webpage designed to look like a cryptocurrency or banking site. The page hosts a download link that looks like it will open the Google Play Store but instead installs a web app. That bypasses both the Google Play Store’s controls and the need to enable third-party store settings.

Installing Apple apps sometimes followed the same method. But in others, the scammers relied on a “Super Signature” process to bypass Apple’s security and app store. You’d typically run into Super Signature apps in a testing scenario or for enterprise deployment. The process essentially makes the victim a developer account similar to how Facebook once installed survey apps without Apple’s approval.

The scammers even went so far as to provide customer support, both on the sites intended to install the malicious app and in the app itself. The security researchers even took time to chat with the “support team” to learn more details about where the money went (Hong Kong) and how the process worked.

For the most part, the researchers at Sophos say these instances target Asian victims, but that doesn’t mean the idea won’t travel elsewhere. For the best security, always go directly to the Play Store or Apple App Store to download apps. And if someone promises “guaranteed money,” maybe back away. Few things, especially cryptocurrency and finances, are so certain in life.

Source: Sophos via ZDNet

Josh Hendrickson Josh Hendrickson
Josh Hendrickson is the Editor in Chief of Review Geek and is responsible for the site's content direction. He has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smart home enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code. Read Full Bio »