Fraudsters pushing iOS malware are upping their game by abusing two legitimate Apple features to bypass App Store vetting requirements and trick people into installing malicious apps.
Apple has long required apps to pass a security review and gain access to the App Store before they can be installed on the iPhone and iPad. The vetting prevents malicious apps from gaining access to the devices, where they can then steal cryptocurrency and passwords or perform other malicious activities.
A post published Wednesday by security firm Sophos sheds light on two recent methods used in an organized crime campaign called CryptoRom, which sends fake cryptocurrency apps to unsuspecting iOS and Android users. While Android allows “sideloading” of apps from third-party markets, Apple requires iOS apps to come from the App Store, after undergoing a thorough security review.
Cheaper and easier
Enter TestFlight, a platform Apple makes available for beta testing new apps. By installing Apple’s TestFlight app from the App Store, any iOS user can download and install apps that have not yet passed the review process. Once TestFlight is installed, the user can download the uncontrolled apps using links that attackers publish on scam sites or in emails. People can use TestFlight to invite up to 10,000 testers by using their email address or by sharing a public link.
“Some of the victims who contacted us reported that they had been asked to install what appeared to be BTCBOX, an app for a Japanese cryptocurrency exchange,” wrote Jagadeesh Chandraiah, a malware analyst at security firm Sophos. “We also found fake websites posing as cryptocurrency mining company BitFury running fake apps through TestFlight. We continue to look for other CryptoRom apps using the same approach.”
Wednesday’s post showed several of the images used in the CryptoRom campaign. iOS users who took the bait received a link that, when clicked, caused the TestFlight app to download and install the fake cryptocurrency app.
Chandraiah said the TestFlight vector gives attackers advantages not available with better-known App Store bypass techniques that also abuse legitimate Apple features. One such feature is Apple’s Super Signature platform, which allows people to use their Apple developer account to deliver apps on a limited ad hoc basis. The other feature is the company’s Developer Enterprise Program. It allows large organizations to distribute proprietary apps for internal use without requiring employees to use the App Store. Both methods require fraudsters to pay money and clear other obstacles.
In contrast, TestFlight’s Chandraiah said:
is cheaper to use than other schemes because all you need is an IPA file with a compiled app. Distribution is handled by someone else, and when (or if) the malware is noticed and flagged, the malware developer can simply move on to the next service and Restart. [TestFlight] is preferred by malicious app developers in some cases over Super Signature or Enterprise Signature, as it is slightly cheaper and looks more legitimate when distributed with the Apple Test Flight App. The review process is also believed to be less stringent than App Store review.
That’s not all
The post said the CryptoRom fraudsters use another Apple feature to hide their activities. This feature – known as Web Clips – adds a website link directly to an iPhone home screen in the form of an icon that can be mistaken for a benign app. Web Clips appear after a user saves a web link.
The Sophos researcher said CryptoRom can use web scraping to add punch to malicious URLs pushing fake apps. Here is an icon for an app called RobinHand that is designed to mimic the legitimate Robinhood trading app.
The CryptoRom scammers rely on social engineering. They use a variety of tricks to build a relationship with targets, even if they never meet face to face. Social networks, dating sites and dating applications are among such addictions. In other cases, the fraudsters initiate relationships through “seemingly random WhatsApp messages that provide the recipients with investment and trading tips.”
The misuse of TestFlight and Web Clips is likely to be detected by experienced Internet users, but less experienced people may be fooled. iOS users should be wary of any website, email or message instructing them to download apps from a source other than the official App Store. An Apple representative said this support page shows how to avoid and report fraud. Apple has further guidance here and here.