‘CryptoRom’ Crypto-Scam is Back via Side-Loaded Apps

For about a year now, crypto-traders and lovelorn singles alike have been losing their money to CryptoRom, a malware campaign that combines catfishing with crypto-scamming.

According to research from Sophos, CryptoRom’s perpetrators have now improved their techniques. They’re leveraging new iOS features – TestFlight and WebClips – to get fake apps onto victims’ phones without being subject to the rigorous app store approval process.

Successful CryptoRom scams have resulted in five-, six- and even seven-figure losses for victims.

What is CryptoRom?

We do silly things when we’re in love. In fact, scientifically speaking, our inhibitions and decision-making capabilities become impaired in the face of romance and sexual arousal.

Perhaps that’s why hackers have been so successful in targeting dating apps over the years. Last year, the Federal Trade Commission reported that “romance scams” cost U.S. citizens over 300 million dollars in 2020, up 50 percent from 2019.

Capitalizing on this trend, last year a new and well-coordinated campaign began targeting users of dating apps like Bumble, Tinder and Grindr. According to a Sophos report last fall, the attackers’ M.O. is to begin there, then move the conversation to messaging apps.

“Once the victim becomes familiar, they ask them to install fake trading applications with legitimate looking domains and customer support,” researchers explained.

The trading apps tend to be cryptocurrency-related, since, more so than with fiat currency, cryptocurrency payments are irreversible.

“They move the conversation to investment and ask them to invest a small amount, and even let them withdraw that money with profit as bait,” according to Sophos. “After this, they will be told to buy various financial products or asked to invest in special ‘profitable’ trading events. The new friend even lends some money into the fake app, to make the victim believe they’re real and caring. When the victim wants their money back or gets suspicious, they get locked out of the account.”

The ruse can go on quite a while before victims catch on. One anonymous person told Sophos that they lost more than $20,000, while another complained of investing $100,000 into the fake app, while bringing a brother and friends into the scheme unwittingly.

In the worst case thus far, one user wrote that “I have invested all my retirement money and loan money, about $1,004,000. I had no idea that they would freeze my account, requiring me to pay $625,000, which is 20 percent taxes on the total profits before they will unfreeze my account.”

What’s New This Time?

A crucial component to the CryptoRom attack flow is those fake apps. Victims might receive a link to download what purports to be BTCBOX, for example, or Binance – perfectly legitimate cryptocurrency trading platforms. These apps appear to have professional user interfaces, and even come with customer-service chat options.

Apple and Google apply strict vetting to weed out malicious mobile apps like these from their official stores. But, as Threatpost has covered before, hackers have clever tricks to get around conventional security testing. In the past, for example, CryptoRom’s preferred method was to use the Apple Developer Program and Enterprise Signatures.

Now, CryptoRom is taking advantage of two new iOS features.

The first, TestFlight, is a feature developers can use to distribute beta versions of their apps to testers.

“Unfortunately,” wrote the researchers, “just as we’ve seen happen with other alternative app distribution schemes supported by Apple, ‘TestFlight Signature’ is available as a hosted service for alternative iOS app deployment, making it all too simple for malware authors to abuse.”

CryptoRom has shifted from Enterprise Signatures towards TestFlight Signatures because, wrote Sophos, “it is a bit cheaper” – requiring only an .IPA file with a compiled iOS app. Apps also look”more legitimate when distributed with the Apple Test Flight App,” researchers added “The review process is also believed to be less stringent than App Store review.”

Even more so than TestFlight, CryptoRom attackers have been using WebClips, a feature that allows web links to be added to the iOS home screen like regular apps. Malicious WebClips mimic real apps like RobinHood (in the following case, “RobinHand”).

“In addition to App Store pages, all these fake pages also had linked websites with similar templates to convince users,” the researchers wrote. “This shows how cheap and easy it is to mimic popular brands while siphoning thousands of dollars from victims.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.