A recent investigation by Group-IB revealed a large-scale fraud operation involving fake trading apps on the Apple App Store and Google Play Store, as well as phishing sites to deceive victims. The scheme is part of a wider investment scam known as "pig butchering," where fraudsters lure victims into investments by posing as romantic partners or financial advisors.
Victims are manipulated into losing funds, with scammers often requesting additional fees before disappearing with the money.
Group-IB, based in Singapore, noted that the campaign targets victims globally, with reports from regions like Asia-Pacific, Europe, the Middle East, and Africa. The fraudulent apps, created using the UniApp Framework, are labeled under "UniShadowTrade" and have been active since mid-2023, offering promises of quick financial gains.
One app, SBI-INT, even bypassed Apple’s App Store review process, giving it an illusion of legitimacy. The app disguised itself as a tool for algebraic formulas and 3D graphics calculations but was eventually removed from the marketplace.
The app used a technique that checked if the date was before July 22, 2024, and, if so, displayed a fake screen with mathematical formulas. After being taken down, scammers began distributing it via phishing websites for Android and iOS users.
For iOS, downloading the app involved installing a .plist file, requiring users to trust an Enterprise developer profile manually. Once done, the fraudulent app became operational, asking users for their phone number, password, and an invitation code.
After registration, victims went through a six-step process involving identity verification, providing personal details, and agreeing to terms for investments. Scammers then instructed them on which financial instruments to invest in, falsely promising high returns.
When victims tried to withdraw their funds, they were asked to pay additional fees to retrieve their investments, but the funds were instead stolen.
The malware also included a configuration with details about the URL hosting the login page, hidden within the app to avoid detection. One of these URLs was hosted by a legitimate service, TermsFeed, used for generating privacy policies and cookie consent banners.
Group-IB discovered another fake app on the Google Play Store called FINANS INSIGHTS, which had fewer than 5,000 downloads. A second app, FINANS TRADER6, was also linked to the same developer. Both apps targeted countries like Japan, South Korea, Cambodia, Thailand, and Cyprus.
Users are advised to be cautious with links, avoid messages from unknown sources, verify investment platforms, and review apps and their ratings before downloading.
