Beware bogus Betas – cryptocoin scammers abuse Apple’s TestFlight system

Last year, we wrote about a research paper from SophosLabs that investigated malware known as CryptoRom, an intriguing, albeit disheartening, nexus in the cybercrime underworld.

This “confluence of criminality” saw cybercrooks adopting the same techniques as romance scammers to peddle fake cryptocurrency apps instead of false love, and fleece victims out of millions.

As you probably know, many romance scammers use online dating sites as a starting point for meeting new “friends”, with the aim of luring trusting victims into bogus relationships – often for months, sometimes for years – in which the victims are manipulated into handing over money on a regular basis.

But dating sites, it turns out, are also a handy way of using fake personas and “chance” meetings to charm people into a very different sort of relationship: one based on cryptocurrency.

Trust without romance

Even if there’s no obvious romantic spark with the imposter, and the imposter makes no attempt to construct one…

…victims of this type of scam nevertheless find themselves connected with someone likeable, and are thus willing to listen to what they say, including their chatter and advice about cryptocurrencies.

And before they know it, victims are taking their “friend’s” advice to access and install a brand new app.

Not an app that’s open to everyone, you understand: this is a dedicated app, a special app, an app for insiders only, that isn’t available on Google Play or the App Store.

Going off-market

As you probably know, going off-market on an Android phone is possible, though not by default (you need to enable off-store apps via a special setting), but on an iPhone, it’s effectively impossible.

Short of jailbreaking your phone (which we don’t recommend: it essentially means hacking your own device on purpose to evade Apple’s security sandbox), you’re stuck with the App Store, which is the one-and-only source of iPhone and iPad apps.

As SophosLabs reported last year, however, cybercriminals were nevertheless able to draw iPhone users into their cryptocoin app scams by using Enterprise Provisioning.

That’s a business-centric iPhone feature that allows private, in-house apps developed by a company for its own use to be deployed directly to company devices.

And if that sounds like a dangerous way to access an app suggested by someone you met on a dating site, make no mistake – it is!

As we explained last time:

The technological basis for these scam apps is surprisingly simple: the crooks persuade you, for example on the basis of a friendship carefully cultivated via a dating site, into giving them the same sort of administrative power over your iPhone that is usually reserved for companies managing corporate-owned devices […]

Typically, [this means] they can remotely wipe them, unilaterally or on request, block access to company data, enforce specific security settings such as lock codes and lock timeouts.

[These scammers] exploit this Enterprise Provisioning feature by tricking you into treating them as if they were your employer, and as if they had a reasonable need or right to exercise almost complete control over your device.

The app you’re told to install in a CryptoRom-style scam is utterly bogus.

You’ll be able to invest; the app will show that you’re getting excellent returns; you may even be able to withdraw some of your “earnings” (which means, in reality, that the crooks are merely letting you take back some of your own money that you already paid in).

This may well boost your confidence, and persuade you to put in more and more money, but when you want withdraw your “funds”…

…you’ll find you can’t.

The criminals behind the scam will either encourage you not to withdraw, persuading you the next big thing is coming and you can’t afford to miss out; or they’ll claim they have to withold a substantial “tax” from your withdrawal, to discourage you from taking money out; or they’ll simply run off with everything you’ve invested anyway.

Well, SophosLabs has now revisited the cryptocurrency app-scamming scene, and the latest incarnations of the CryptoRom scam:

Stay off the chopping block

These scams have spread around the world, but are particularly prevalent in South East Asia, from where they get the name 杀猪盘, an unpleasant metaphor that reflects the attitude of the gangs behind this cybercriminality – the words translate roughly as “chopping block”.

Unfortunately, the scammers have introduced numerous new tricks and techniques for seducing users into installing their “this-software-is-by-invitation-only-and-you-are-lucky-to-get-this-chance” apps, including abusing Apple’s Beta-testing service known as TestFlight:

TestFlight makes it easy to invite users to test your apps and App Clips and collect valuable feedback before releasing your apps on the App Store. You can invite up to 10,000 testers using just their email address or by sharing a public link.

Interestingly, you can only join a TestFlight app’s Beta phase if you first install Apple’s TestFlight app, which is used to collect and collate telemetry from and feedback about the new app. (TestFlight builds only work for 90 days after they’re published, on the grounds that Beta releases are expected to be updated regularly with new versions as bugs are fixed.)

Ironically, however, we suspect that some users will end up being more enthusastic about the scam if they have to jump through various Apple-centric hoops first, and to agree to be monitored while using the app.

After all, to someone who’s already interested in getting into cryptocurrency, but is worried they’ve left it too late to be part of the vanguard, the TestFlight process may well:

  • Reinforce the idea that the app really is “new” and “novel”, so they’re getting in on the ground floor.
  • Mislead victims into thinking they’re getting privileged access, not offered to everyone.
  • Encourage victims to believe that the TestFlight process means added trustworthiness and safety in the app itself.

Of course, long before the TestFlight 90-day limit is up, the crooks will either have updated the app as a way of “proving” their committment, or completed what’s known in the jargon as a rug-pull, a metaphor that rather obviously means that the criminals run off with everything.

Flowchart of a typical CryptoRom scam.
Click on the image for the full SophosLabs report.

What to do?

As SophosLabs researcher Jagadeesh Chandraiah warns in the new report:

CryptoRom scams continue to flourish through the combination of social engineering, cryptocurrency, and fake applications. These scams are well-organised, and skilled in identifying and exploiting vulnerable users based on their situation, interests, and level of technical ability. Those who get pulled into the scam have lost tens of thousands of dollars.

To stay clear of online scammers who lure you into trusting relationships with the express purpose of defrauding you, typically over weeks or months, here are our Top Tips:

  • Take your time when “dating site” talk turns from friendship to money. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you. That needn’t be down to serendipity or because you have a genuine match. The other person could simply have read your various online profiles carefully in advance.
  • Never give administrative control over your phone to someone with no genuine reason to have it. Never click [Trust] on a dialog that asks you to enrol in remote management unless it’s from your employer, and your employer looks after or owns your device.
  • Don’t be fooled by circumstances that imply approval from Apple. The fact that an app is registered with TestFlight doesn’t mean it’s officially vetted and approved by Apple. In fact, it’s the opposite: TestFlight apps aren’t in the App Store yet, because they’re still being developed and could contain bugs, accidentally or deliberately. If anything, you need to trust the developers of a TestFlight app even more than vendors of regular apps, because you’re letting them run experimental code on your device.
  • Don’t be decieved by messaging inside the app itself. Don’t let by icons, names and text messages inside an app trick you into assuming it has the credibility it claims. (If I show you a picture of a pot of gold, that doesn’t mean I own a pot of gold!)
  • Listen openly to your friends and family if they try to warn you. Criminals who use dating apps and friendships as a lure think nothing of deliberately setting you against your family as part of their scams. They may even proactively “warn” you not to let potentially “jealous” friends and family in on your investment “secret”. Don’t let the scammers drive a wedge between you and your family as well as between you and your money.

YOU MIGHT ALSO LIKE:


go top