Criminals are finding sophisticated ways to embed malicious code in seemingly legitimate mobile applications, prompting a warning from the FBI for users to pay extra attention to the apps they download.
In a public service announcement on Monday, the FBI drew attention to the dangers posed by beta-testing apps. Prior to official release, beta versions of new apps are circulated for user feedback before undergoing the security testing required to make it into Google or Apple’s app stores.
Beta-testing apps can contain malicious code designed to steal personal information, gain access to a user’s financial accounts or enable device takeover, the FBI warned.
“Cyber criminals often use phishing or romance scams to establish communications with the victim, then direct the victim to download a mobile beta-testing app housed within a mobile beta-testing app environment, promising incentives such as large financial payouts,” the bureau said.
“The apps may appear legitimate by using names, images, or descriptions similar to popular apps.”
A common scenario for this type of “pig butchering” scam involves cyber criminals making initial contact with victims through dating or networking apps. They build rapport with their victims, and then entice them to download a beta-testing app, typically one masquerading as a cryptocurrency trading platform.
The victims are lured into transacting through the malicious app, but instead of acquiring cryptocurrency, they have their funds and personal information stolen.
Sophos has been following similar scams – utilizing what it calls “CryptoRom” trading apps – since 2021. In the security firm’s latest report on CryptoRom techniques, Sophos researchers Jagadeesh Chandraiah and Sean Gallagher said criminal groups had begun incorporating the use of generative AI tools into their communications with victims.
“Use of a generative AI tool could not only make the conversations more convincing but also reduce the workload on scammers interacting with multiple victims,” the researchers wrote.
Malicious apps pass security reviews
They said they had observed criminal groups having more success registering malicious apps with Apple’s App Store and the Google Play store, reducing their reliance on beta-testing apps.
“Earlier versions of these scams required convincing the target to install fake applications from fake app stores—and in the case of iOS users, going through additional steps to bypass Apple’s app restrictions. This included abusing Apple’s enterprise and developer ad-hoc app distribution schemes or Apple’s Test Flight ‘beta test’ distribution system.”
Many of the malicious apps in the stores had legitimate purposes, according to their listings. “But when they are opened, they contact a remote URL that loads a CryptoRom fake crypto-trading interface prompting users to invest,” Chandraiah and Gallagher said.
The apps were able to pass Apple and Google’s security reviews, and get published on the stores, by modifying remote code they relied upon.
“By simply changing a pointer in remote code, the app can be switched from a benign interface to a fraudulent one without further review by Apple or Google, unless a complaint is filed,” the researchers said.
“Because these apps are in the official stores, there is no social engineering required by the scammers beyond getting targets to click on a web link to the app store.”
In its PSA, the FBI said there were several signs users should look out for that indicated an app may be malicious. These included: slowing down the device or draining the battery when used, requesting access permissions to functions unrelated to its advertised purpose, and displaying pop-ups that looked like adds, system warnings or reminders.
Users should check customer reviews of apps and their developers before downloading, and not use unverified apps as investment tools, the bureau said.