The US Federal Bureau of Investigation (FBI) has just published an official public service announcement headlined with with a very specific warning: Cybercriminals Targeting Victims through Mobile Beta-Testing Applications.
The Feds didn’t go as far as naming any specific vendors or services here, but one of the main reasons that crooks go down the “beta-testing” route is to lure users of Apple iPhones into installing software that didn’t come from the App Store.
(We’re guessing that explicitly naming Apple would not only be a bit unfair, but might also give a false sense of security to anyone who doesn’t have an Apple-branded phone, because the general lessons to be learned here apply to all types of mobile phone, and even, by extension, to all sorts of software on all sorts of device.)
Using rarity and privilege as a lure
Some iPhone users feel secure against malware, spyware, rogueware and scamware simply because Apple insists that iPhone (and iPad apps, for that matter) must be acquired from the App Store.
Android users start out in a similar world, with installs allowed by default only from Google Play, but they have the option to go “off-market” if they want, and fetch apps from unofficial sources.
In contrast, even iPhone apps that are 100% free must be submitted by the vendor to the App Store to become available for download, and downloaded by the user from the App Store for installation.
But there are at least two ways to get what amount to unofficial apps, or at least “unendorsed by Apple apps”, onto an iPhone.
One is to use Apple’s Mobile Device Management (MDM) system, which is officially intended for companies that want to deploy proprietary, non-public, corporate apps onto company-supplied or company-managed devices.
Another is to sign up for Apple’s TestFlight service, which lets you offer pre-release software for trial by a maximum of 10,000 users as part of your beta-testing program.
Alpha software, after the first Greek letter, is an old-school jargon name for code that is still in its first stages of development: typically very rough and ready, more of a proof-of-concept than a real app.
Beta software, after the second Greek letter, usually refers to a software product that’s past that first stage, but is not yet fully debugged, isn’t yet recommended for everyday use, and is therefore available only in a limited release.
Convincing victims to “join the club”
As it happens, both MDM enrollment and beta-test signup require active agreement from the owner of the device.
That’s because enrolling your device into MDM gives lots of control to your corporate IT team, such as giving them the right to wipe your phone if they want.
(Phones under MDM can be wiped remotely without your consent on the grounds that if your phone were stolen, a consent request from IT would play into the hands of the thief, who would simply say, “No” to the request, and would also be alerted that the theft had been reported.)
Similarly, beta-level software exposes you to greater risk, not only because it’s expected still to contain plenty of bugs, but also because beta software is generally expected to collect much more information than a finished app, as part of tracking down any faulty behaviour.
That, of course, raises the questions, “Why would anyone willingly agree to submit to MDM by someone who wasn’t their employer and had no reason to be able to manage their device remotely, or to install beta-quality software if they weren’t knowingly part of the development process?”
The answer, in the case of the cybercrime that the FBI are warning about here, is that these MDM/Beta scammers aren’t aiming to sign up everyone, or even just anyone.
Most of them have take a leaf out of the romance scammers’ playbooks, where their goal is not to lure in 1,000,000 potential victims, sign up 1% of them, and hit each of them up abrpuptly for $10 or $100 each.
These scammers aim to identify 100s or 1000s of potential victims, actively befriend 10s or 100s of them, and then lure them, under the guise of being trusted friends, into parting with $10,000 or more each, often engaging with them regularly and personally over an extended period of time
Indeed, a lot ot these MDM/Beta scammers start in just the same way as romance scammers: by “meeting” victims on online dating sites using fake profiles, and by building up a friendship and an apparent sense of mutual trust.
Then, instead of drawing their victims into a relationship based on love and emotional affection, they initiate a relationship based more directly on money, usually based on the lure of a cryptocurrency “investment” that isn’t open to just anyone.
At this point, the crooks have already created a believable reason why the app you need to download and install isn’t in the App Store, where everyone would be able to see it.
Its suspicious deployment method, via MDM or TestFlight, is re-explained by the criminals as a sign that it’s something special; an opportunity that’s a privilege to participate in.
Money goes in but “earnings” never come out
You’re probably familiar with how this sort of scam plays out: the app shows data from a legitimate-looking but utterly bogus backend system.
The bogus investments always seem to keep on going up; trading volumes always look healthy; and (in at least some of these scams) you can even make withdrawals, assuming that you want to test that it isn’t just a one-way system.
As you can imagine, any withdrawals you’re allowed as a “test” of an scam site’s legitimacy will be kept well within the amount you’ve already put in (so you’re really only getting a bit of your own money back), or won’t actually be paid out for real (they’ll be converted into “reinvestments” with appealing but fake “rewards” and “bonuses” to keep you on the hook).
The doubly bitter end, for many victims, comes when they decide to cash out forever, and the scammers realise they can’t keep the victim inside the fraud pyramid any longer.
Many of these scammers then turn threatening as well as dishonest, telling you that the government has frozen your account; that you owe some sort of tax on your capital gains; and that because the account is frozen, you can’t just have the tax amount witheld from your withdrawal.
You have to make good the tax payment first, typically at the rate of 20%, to get out of trouble with the law.
Only then will you get your “investment” out, and because the “government” is involved, there’s a time limit that can’t be argued with.
“Borrow from your family and friends,” the scammers may say, becoming ever-more menacing about how badly things will turn out if you don’t pay the “government” its share in the time allowed.
At this point, of course, the 20% “tax” is being calculated not merely on the money you actually put in so far, but on the fake “investment growth”, plus the made-up “rewards” and “bonuses” that you have “accrued” along the way.
Some desperate victims may end up paying in as much again at the end as they did along the way.
Whether victims decide to pay in that final 20% or not, one thing is certain: nothing ever comes back from the crooks.
Everything paid in vanishes forever.
What to do?
As SophosLabs researcher Jagadeesh Chandraiah has warned in a detailed report that he published last year:
[These] scams continue to flourish through the combination of social engineering, cryptocurrency, and fake applications. These scams are well-organised, and skilled in identifying and exploiting vulnerable users based on their situation, interests, and level of technical ability. Those who get pulled into the scam have lost tens of thousands of dollars.
To stay clear of online scammers who lure you into trusting relationships with the express purpose of defrauding you, typically over weeks or months, here are our Top Tips:
- Take your time when online talk in a developing friendship turns to money. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you. That needn’t be down to serendipity or because you have found a genuine chum. The other person could simply have read your own online profiles carefully in advance.
- Never give administrative control over your phone to someone with no genuine reason to have it. Never click
[Trust]
on a dialog that asks you to enrol in remote management unless it’s from your employer, and your employer looks after or owns your device. - Don’t be fooled by circumstances that imply approval from Apple. The fact that an app is registered for beta testing with TestFlight doesn’t mean it’s officially vetted and approved by Apple. In fact, it’s the opposite: TestFlight apps aren’t in the App Store yet, because they’re still being developed and could contain bugs, accidentally or deliberately. If anything, you need to trust the developers of a TestFlight app even more than vendors of regular apps, because you’re letting them run experimental code on your device.
- Don’t be deceived by messaging inside the app itself. Don’t let icons, names and text messages inside an app trick you into assuming it has the credibility it claims. Don’t believe investment results simply because the app shows you what you want to see. (If I show you a picture of a pot of gold, that doesn’t mean I own a pot of gold!)
- Listen openly to your friends and family if they try to warn you. Criminals who use dating apps and friendships as a lure think nothing of deliberately setting you against your family as part of their scams. They may even proactively “warn” you not to let potentially “jealous” friends and family in on your investment “secret”. Don’t let the scammers drive a wedge between you and your family as well as between you and your money.
YOU MIGHT ALSO LIKE:
Original video here: https://www.youtube.com/watch?v=_nO77xWeO4o
Click the cog icon to speed up playback or show live subtitles.
No video? Read the transcript.
Ralph
Great to see material on scammers again! They will always think of something new for more victims to fall for.
Good thing there are scambaiters taking the fight to them (and supplying us with excellent content on YouTube lol)
Paul Ducklin
Glad you found it useful. Time to do some new videos…