Fake trading apps infiltrate major app stores with a pig-butchering scheme


Cybercriminals are targeting Apple iOS and Android users in a large-scale fraud campaign involving fake trading apps, Group-IB’s threat intelligence analysts warn. Fake trading platforms pop up on app stores containing no malware to bypass defenses, yet allow attackers to extract significant funds.

The apps appear on both the official Google Play Store and Apple App Store. They’re built using the UniApp Framework, which allows the same code to be reused on multiple platforms. The fraudsters even thought about localization, as there are versions in English, Portuguese, Chinese, and Hindi.

The apps act as the facade of a legitimate trading platform. The only goal of these fake apps is to lure victims into funding bogus trading accounts, then the money is lost.

ADVERTISEMENT

These types of schemes are widely known as pig butchering, which refers to frauds in which cybercriminals lure victims into fake investment schemes. Fraudsters may spend weeks or even months gaining the victims' trust and significant ‘investments,’ which only appear to grow on the fake platform.

The name of the scam refers to the practice of fattening a pig before slaughter, when crooks pull the rug from under them, leaving victims with nothing.

Group-IB’s report describes two distribution methods: via official app stores and also through phishing websites. The social engineering tactics even include requirements for victims to enter an invitation code before registering.

During registration, the app asks a user to upload an ID card or passport and other documents, provide personal information and job-related details, and agree to multiple terms and conditions and risk warnings. Attackers then send investment recommendations and instructions to make a deposit.

All the app’s logic is processed on a web server, and the core functionality is delivered through a URL. Its only capabilities are to check the device model, date, and time.

“Once the deposit is made, the cybercriminals instruct the victim on which positions to buy. After a few seemingly successful trades, the victim is persuaded to invest more and more money. The account balance appears to grow rapidly. However, when the victim attempts to withdraw funds, they are unable to do so,” the report warns.

fake-app-investing

The applications mimic dozens of crypto and trading platforms. The detected Android packages shared names com.finans.trader or com.finans.insights.

ADVERTISEMENT

The domains used in the scam appear to be a part of a larger fraudulent infrastructure with many domains registered under similar names, impersonating financial institutions.

“The use of web-based applications further conceals the malicious activity and makes detection more difficult. This highlights the importance of vigilance and end-user education, even when dealing with seemingly trustworthy apps,” the researchers said.

Users are advised to be careful when opening links sent to mobile devices or unsolicited messages from strangers on any platform, and diligently check the platform they choose for investing and protect their sensitive information from outsiders.

“If you’re asked to install an application from an official store, don’t let your guard down. Always check the publisher, application rating, and user comments to make sure it’s legitimate,” Group-IB said. “Only install applications from official websites.”