‘CryptoRom’ Crypto-Scam is Back via Side-Loaded Apps

Scammers are bypassing Apple’s App Store security, stealing thousands of dollars’ worth of cryptocurrency from the unwitting, using the TestFlight and WebClips programs.

For about a year now, crypto-traders and lovelorn singles alike have been losing their money to CryptoRom, a malware campaign that combines catfishing with crypto-scamming.

According to research from Sophos, CryptoRom’s perpetrators have now improved their techniques. They’re leveraging new iOS features – TestFlight and WebClips – to get fake apps onto victims’ phones without being subject to the rigorous app store approval process.

Successful CryptoRom scams have resulted in five-, six- and even seven-figure losses for victims.

What is CryptoRom?

We do silly things when we’re in love. In fact, scientifically speaking, our inhibitions and decision-making capabilities become impaired in the face of romance and sexual arousal.

Perhaps that’s why hackers have been so successful in targeting dating apps over the years. Last year, the Federal Trade Commission reported that “romance scams” cost U.S. citizens over 300 million dollars in 2020, up 50 percent from 2019.

Infosec Insiders Newsletter

Capitalizing on this trend, last year a new and well-coordinated campaign began targeting users of dating apps like Bumble, Tinder and Grindr. According to a Sophos report last fall, the attackers’ M.O. is to begin there, then move the conversation to messaging apps.

“Once the victim becomes familiar, they ask them to install fake trading applications with legitimate looking domains and customer support,” researchers explained.

The trading apps tend to be cryptocurrency-related, since, more so than with fiat currency, cryptocurrency payments are irreversible.

“They move the conversation to investment and ask them to invest a small amount, and even let them withdraw that money with profit as bait,” according to Sophos. “After this, they will be told to buy various financial products or asked to invest in special ‘profitable’ trading events. The new friend even lends some money into the fake app, to make the victim believe they’re real and caring. When the victim wants their money back or gets suspicious, they get locked out of the account.”

The ruse can go on quite a while before victims catch on. One anonymous person told Sophos that they lost more than $20,000, while another complained of investing $100,000 into the fake app, while bringing a brother and friends into the scheme unwittingly.

In the worst case thus far, one user wrote that “I have invested all my retirement money and loan money, about $1,004,000. I had no idea that they would freeze my account, requiring me to pay $625,000, which is 20 percent taxes on the total profits before they will unfreeze my account.”

Karl Steinkamp, director at Coalfire, told Threatpost that the scam is a perfect storm of social engineering.

“An overarching theme here is twofold: One, we are seeing the world’s population rapidly wanting to adopt some format of crypto assets, whether this is Bitcoin, Ethereum or any one of the other 17K+ altcoins,” he said. “And two, there is an increasing need for end user (and company) security awareness training when utilizing, storing and transferring any crypto asset. Crypto and digital-asset protection includes different technologies and skills needed to adequately secure the resources.”

He added, “The mixing of dating, money / lending, and social-engineering efforts is and will continue to be a potent combination for bad actors to continue to steal money from victims. Bad actors only need to find one crack in the armor, while individuals and companies need to protect against every avenue of threats.”

What’s New This Time?

A crucial component to the CryptoRom attack flow is those fake apps. Victims might receive a link to download what purports to be BTCBOX, for example, or Binance – perfectly legitimate cryptocurrency trading platforms. These apps appear to have professional user interfaces, and even come with customer-service chat options.

Apple and Google apply strict vetting to weed out malicious mobile apps like these from their official stores. But, as Threatpost has covered before, hackers have clever tricks to get around conventional security testing. In the past, for example, CryptoRom’s preferred method was to use the Apple Developer Program and Enterprise Signatures.

Now, CryptoRom is taking advantage of two new iOS features.

The first, TestFlight, is a feature developers can use to distribute beta versions of their apps to testers.

“Unfortunately,” wrote the researchers, “just as we’ve seen happen with other alternative app distribution schemes supported by Apple, ‘TestFlight Signature’ is available as a hosted service for alternative iOS app deployment, making it all too simple for malware authors to abuse.”

CryptoRom has shifted from Enterprise Signatures towards TestFlight Signatures because, wrote Sophos, “it is a bit cheaper” – requiring only an .IPA file with a compiled iOS app. Apps also look “more legitimate when distributed with the Apple Test Flight App,” researchers added. “The review process is also believed to be less stringent than App Store review.”

“Hackers leveraging Apple’s TestFlight platform as a distribution mechanism for malicious apps is a clever — and relatively simple — tactic that can certainly lead to problems for victims,” Ray Kelly, fellow at NTT Application Security, told Threatpost. “Users should understand that side-loading applications is always a precarious proposition. Apps that are downloaded and installed outside of the of the App Store or Google Play ecosystem have not been vetted for security and privacy risks, leaving the door wide open for attackers to compromise users’ personal data and sometimes, their financial accounts.”

Even more so than TestFlight, CryptoRom attackers have been using WebClips, a feature that allows web links to be added to the iOS home screen like regular apps. Malicious WebClips mimic real apps like RobinHood (in the following case, “RobinHand”).

A malicious WebClip offering in the Apple App Store. Source: Sophos.

“In addition to App Store pages, all these fake pages also had linked websites with similar templates to convince users,” the researchers wrote. “This shows how cheap and easy it is to mimic popular brands while siphoning thousands of dollars from victims.”

Since it’s almost impossible for law enforcement to crack down on any one individual scam, app store providers hav a responsibility to monitor for misuse of these developer tools, Mark Lambert, vice president of products at ArmorCode, told Threatpost. He added, “Ultimately, however, the problem is a lack of security awareness. It is essential that users look for things that ‘don’t look right’ and have a fundamental view of not trusting electronic communications or taking them on face value.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles