Scammers operating high-yielding investing scams called "pig butchering" have found a way to compromise Google Play and Apple's App Store, the official repositories for Android and iOS apps.
Pig butchering scams are those which involve fake websites, malicious advertising, and social engineering.
By adding fraudulent apps to official download platforms, scammers can gain a victim's trust easier, reports BleepingComputer.
According to cybersecurity company Sophos researchers, scammers are targeting victims on Facebook or Tinder and convincing them to download the fraudulent apps and "invest" large sums of money in assets that appear to be real.
The cybersecurity firm observed that the campaign was undertaken by a China-based threat group named "ShaZhuPan," which shows high organisational levels with distinct teams engaged in victim interactions, finance, franchise, and money laundering, according to the report.
Also read | Apple App Store policies present 'conflict of interest': Mark Zuckerberg
The fraudsters appear to target male users over Facebook and Tinder using women's profiles with stolen images from other social media accounts.
Moreover, the report mentioned that the scammers after gaining the victims' trust, claim to have an uncle who works for a financial analysis firm and invite them to trade cryptocurrency through an app available on the Google Play or Apple App Store.
Sophos discovered malicious apps called "Ace Pro" and "MBM BitScan" on the Apple App Store, and "BitScan" on the Google Play Store, which was used in the campaign.
The apps let the victim withdraw small amounts of cryptocurrency initially but then lock their accounts when larger amounts are involved.
Furthermore, in order to gain access to the App Store, the ShaZhuPan gang submits an app signed with a valid Apple certificate, which is a requirement for any code to be accepted into the iOS repository.
Also read | Google Play introduces UPI Autopay payment in India
Until the app receives approval, it connects to a harmless server and behaves normally, said the report.
When the app passes the review, the developer changes the domain and connects to a malicious server.
Upon launching the app, the victim sees a cryptocurrency trading interface delivered by the malicious server; however, everything displayed is fake, except for the user's deposit, the report added.
