The CryptoRom scam ring has broken through the app stores’ security review processes, and more bypasses can be expected in future

In a successful attempt to get past safeguards on official app stores, cybercriminals managed to plant two malicious apps involved in the CryptoRom scam.

The first malicious app, Ace Pro, targets iOS users in Apple’s App Store and tricks them into making fake cryptocurrency investments. It is described in the store as a QR code scanner, but it is actually a fraudulent crypto trading platform. Once opened, users see a trading interface where they can supposedly deposit and withdraw currency. However, any money deposited goes directly to the scammers.

To get the app past App Store security, the scammers had the app connect to a remote website with benign functionality when it was originally submitted for review. The domain included code for QR scanning to make it look legitimate to app reviewers. However, once the app was approved, the scammers redirected the app to an Asian-registered domain. This domain sends a request that responds with content from another host that ultimately delivers the fake trading interface. 

The second malicious app , MBM_BitScan, appears on Google Play Store under the name BitScan.

The two apps communicate with the same Command and Control (C2) infrastructure, which then communicates with a server that resembles a legitimate Japanese crypto firm. Everything else that is malicious is handled in a web interface, which made it difficult for Google Play watchdogs to detect it as fraudulent.

According to Sophos, which discovered the malicious apps on the two official app stores, the two fake crypto apps were the first to successfully bypass Apple’s app security protocols.

More on the CryptoRom scam
CryptoRom is a subset of family of scams known by the Chinese as literally a “pig butchering plate” where victims who had been tricked into investing substantial funds are “slaughtered”. The plot involves creating and actively maintaining fake Facebook profiles and personas of women supposedly living a lavish lifestyle in London to hook men on social media. After using the fake persona to build rapport with victims, the scammers convince them to download the fraudulent Ace Pro app and fall for the cryptocurrency fraud.

Both malicious apps are not affected by iOS’ new Lockdown mode that prevents scammers from loading mobile profiles helpful for social engineering. In fact, these CryptoRom scammers may be shifting their tactics—that is, focusing on bypassing the App Store review process—in light of the security features in Lockdown.