Site icon Sophos News

Beware bogus Betas – cryptocoin scammers abuse Apple’s TestFlight system

Last year, we wrote about a research paper from SophosLabs that investigated malware known as CryptoRom, an intriguing, albeit disheartening, nexus in the cybercrime underworld.

This “confluence of criminality” saw cybercrooks adopting the same techniques as romance scammers to peddle fake cryptocurrency apps instead of false love, and fleece victims out of millions.

As you probably know, many romance scammers use online dating sites as a starting point for meeting new “friends”, with the aim of luring trusting victims into bogus relationships – often for months, sometimes for years – in which the victims are manipulated into handing over money on a regular basis.

But dating sites, it turns out, are also a handy way of using fake personas and “chance” meetings to charm people into a very different sort of relationship: one based on cryptocurrency.

https://nakedsecurity.sophos.com/2021/10/13/romance-scams-with-a-cryptocurrency-twist-new-research-from-sophoslabs/

Trust without romance

Even if there’s no obvious romantic spark with the imposter, and the imposter makes no attempt to construct one…

…victims of this type of scam nevertheless find themselves connected with someone likeable, and are thus willing to listen to what they say, including their chatter and advice about cryptocurrencies.

And before they know it, victims are taking their “friend’s” advice to access and install a brand new app.

Not an app that’s open to everyone, you understand: this is a dedicated app, a special app, an app for insiders only, that isn’t available on Google Play or the App Store.

Going off-market

As you probably know, going off-market on an Android phone is possible, though not by default (you need to enable off-store apps via a special setting), but on an iPhone, it’s effectively impossible.

Short of jailbreaking your phone (which we don’t recommend: it essentially means hacking your own device on purpose to evade Apple’s security sandbox), you’re stuck with the App Store, which is the one-and-only source of iPhone and iPad apps.

As SophosLabs reported last year, however, cybercriminals were nevertheless able to draw iPhone users into their cryptocoin app scams by using Enterprise Provisioning.

That’s a business-centric iPhone feature that allows private, in-house apps developed by a company for its own use to be deployed directly to company devices.

And if that sounds like a dangerous way to access an app suggested by someone you met on a dating site, make no mistake – it is!

As we explained last time:

The technological basis for these scam apps is surprisingly simple: the crooks persuade you, for example on the basis of a friendship carefully cultivated via a dating site, into giving them the same sort of administrative power over your iPhone that is usually reserved for companies managing corporate-owned devices […]

Typically, [this means] they can remotely wipe them, unilaterally or on request, block access to company data, enforce specific security settings such as lock codes and lock timeouts.

[These scammers] exploit this Enterprise Provisioning feature by tricking you into treating them as if they were your employer, and as if they had a reasonable need or right to exercise almost complete control over your device.

The app you’re told to install in a CryptoRom-style scam is utterly bogus.

You’ll be able to invest; the app will show that you’re getting excellent returns; you may even be able to withdraw some of your “earnings” (which means, in reality, that the crooks are merely letting you take back some of your own money that you already paid in).

This may well boost your confidence, and persuade you to put in more and more money, but when you want withdraw your “funds”…

…you’ll find you can’t.

The criminals behind the scam will either encourage you not to withdraw, persuading you the next big thing is coming and you can’t afford to miss out; or they’ll claim they have to withold a substantial “tax” from your withdrawal, to discourage you from taking money out; or they’ll simply run off with everything you’ve invested anyway.

Well, SophosLabs has now revisited the cryptocurrency app-scamming scene, and the latest incarnations of the CryptoRom scam:

Stay off the chopping block

These scams have spread around the world, but are particularly prevalent in South East Asia, from where they get the name 杀猪盘, an unpleasant metaphor that reflects the attitude of the gangs behind this cybercriminality – the words translate roughly as “chopping block”.

Unfortunately, the scammers have introduced numerous new tricks and techniques for seducing users into installing their “this-software-is-by-invitation-only-and-you-are-lucky-to-get-this-chance” apps, including abusing Apple’s Beta-testing service known as TestFlight:

TestFlight makes it easy to invite users to test your apps and App Clips and collect valuable feedback before releasing your apps on the App Store. You can invite up to 10,000 testers using just their email address or by sharing a public link.

Interestingly, you can only join a TestFlight app’s Beta phase if you first install Apple’s TestFlight app, which is used to collect and collate telemetry from and feedback about the new app. (TestFlight builds only work for 90 days after they’re published, on the grounds that Beta releases are expected to be updated regularly with new versions as bugs are fixed.)

Ironically, however, we suspect that some users will end up being more enthusastic about the scam if they have to jump through various Apple-centric hoops first, and to agree to be monitored while using the app.

After all, to someone who’s already interested in getting into cryptocurrency, but is worried they’ve left it too late to be part of the vanguard, the TestFlight process may well:

Of course, long before the TestFlight 90-day limit is up, the crooks will either have updated the app as a way of “proving” their committment, or completed what’s known in the jargon as a rug-pull, a metaphor that rather obviously means that the criminals run off with everything.

Flowchart of a typical CryptoRom scam.
Click on the image for the full SophosLabs report.

What to do?

As SophosLabs researcher Jagadeesh Chandraiah warns in the new report:

CryptoRom scams continue to flourish through the combination of social engineering, cryptocurrency, and fake applications. These scams are well-organised, and skilled in identifying and exploiting vulnerable users based on their situation, interests, and level of technical ability. Those who get pulled into the scam have lost tens of thousands of dollars.

To stay clear of online scammers who lure you into trusting relationships with the express purpose of defrauding you, typically over weeks or months, here are our Top Tips:


YOU MIGHT ALSO LIKE:

Original video here: https://www.youtube.com/watch?v=_nO77xWeO4o
Click the cog icon to speed up playback or show live subtitles.
No video? Read the transcript.


Exit mobile version