CryptoRom is already a scam in itself that victimizes dating app users with financial fraud schemes. Cybersecurity solutions provider Sophos has found that the first fake CryptoRom apps were able to elude Apple’s strict security protocols.

Cybercriminals used workaround techniques to trick users to download fake CryptoRom apps, such as Ace Pro and MBM_BitScan, which are not sanctioned by the Apple App Store. The apps are also not affected by iOS’ new Lockdown mode, which prevents scammers from loading mobile profiles helpful for social engineering.

“In general, it’s hard to get malware past the security review process in the Apple App Store,” said Jagadeesh Chandraiah, senior threat researcher at Sophos.”That’s why, when we originally began investigating CryptoRom scams targeting iOS users, the scammers would have to persuade users to first install a configuration profile before they could install the fake trading app.”

Sophos discovers fake criminal marketplaces that scam scammers
Sophos uncovers liquidity mining cryptocrime

CryptoRom, a subset of a family of scams known as sha zhu pan (pig butchering plate), is a well-organized, syndicated scam operation that uses a combination of romance-centered social engineering and fraudulent crypto trading applications and websites to lure victims and steal their money after gaining their confidence. By getting an application onto the App Store, the scammers have vastly increased their potential victim pool, particularly since most users inherently trust Apple.

Fake apps

To lure the victim who was conned with Ace Pro, the scammers created and actively maintained a fake Facebook profile and persona of a woman supposedly living a lavish lifestyle in London. After building a rapport with the victim, the scammers suggested the victim download the fraudulent Ace Pro app and the cryptocurrency fraud unfolded from there. 

Ace Pro is described in the app store as a QR code scanner but is a fraudulent crypto trading platform. Once opened, users see a trading interface where they can supposedly deposit and withdraw currency. However, any money deposited goes directly to the scammers. In order to get past App Store security, Sophos believes the scammers had the app connect to a remote website with benign functionality when it was originally submitted for review. The domain included code for QR scanning to make it look legitimate to app reviewers. However, once the app was approved, the scammers redirected the app to an Asian-registered domain. This domain sends a request that responds with content from another host that ultimately delivers the fake trading interface.  

MBM_BitScan is also an app for Android, but it is known as BitScan on Google Play. The two apps communicate with the same Command and Control (C2) infrastructure; this C2 infrastructure then communicates with a server that resembles a legitimate Japanese crypto firm. Everything else that is malicious is handled in a web interface, which is why it is hard for Google Play’s code reviewers to detect it as fraudulent.

“Sophos has been tracking and reporting on these scams that reap millions of dollars for two years,” the company said.