Apple regularly highlights the fact that the locked environment of the App Store is one of the best guarantees of iOS security, to avoid attacks and other malicious programs. The problem is that hackers have resources and imagination… Security researchers at Sophos have indeed discovered two new means used to abuse poor users.
The first is to use TestFlight, Apple’s program for testing the beta version of an app. Normally the application must be verified by Apple’s App Store services, but it is possible to use external services to obtain a certificate Test Flight Signature. These external services are less fussy than Apple (just provide the compiled app as an IPA file) and can easily be abused by scammers. And if the malicious app is exposed, the scammers then use another service.
Thus, victims were abused by a malicious version of the Japanese cryptocurrency exchange app BTCBOX. This app was distributed through a fraudulent website in Android and iOS versions. The iOS version used TestFlight for its installation.
The fake BTCBOX app is part of a larger cryptocurrency scam campaign, which Sophos researchers have been tracking since 2021 and dubbed CryptoRom.
The other new method used by cybercriminals is the WebClip feature of iOS. It allows you to add links to websites on the home screen of an iOS device. Scammers manage to disguise the icons of these links to make them look like legitimate iOS apps. Thus, links discovered by Sophos researchers referred to a site that looked like the Apple App Store.
Thus, one of the sites offered the download of a malicious application, resembling to be mistaken the financial app Robinhood, which allows among other things to manage cryptocurrencies. Only subtlety: the name has been changed to RobinHand.
A multitude of fake sites have been created with logos of well-known brands in the field of finance, stock exchanges and cryptocurrency management. The goal is to be able to easily switch to another site if the initial site is blocked or discovered.
Also see video:
Started in Asia, the CryptoRom wave has spread considerably around the world and has claimed many victims. Using fake apps, social engineering scenarios (blocked accounts, imaginary taxes and loans) and cryptocurrencies, scammers manage to extort large sums of money from their victims. For its part, Apple offers a support page on its website, to combat scams.
Source : Sophos