Scammers pushing iOS malware are stepping up their game by abusing two legitimate Apple features to bypass App Store vetting requirements and trick people into installing malicious apps.
Apple has long required that apps pass a security review and be admitted to the App Store before they can be installed on iPhones and iPads. The vetting prevents malicious apps from making their way onto the devices, where they can then steal cryptocurrency and passwords or carry out other nefarious activities.
A post published Wednesday by security firm Sophos sheds light on two newer methods being used in an organized crime campaign dubbed CryptoRom, which pushes fake cryptocurrency apps to unsuspecting iOS and Android users. While Android permits “sideloading” apps from third-party markets, Apple requires iOS apps to come from the App Store, after they’ve undergone a thorough security review.
Enter TestFlight, a platform Apple makes available for the beta testing of new apps. By installing Apple’s TestFlight app from the App Store, any iOS user can download and install apps that have not yet passed the vetting process. Once TestFlight is installed, the user can download the unvetted apps using links attackers publish on scam sites or in emails. People can use TestFlight to invite up to 10,000 testers using their email address or by sharing a public link.
“Some of the victims who contacted us reported that they had been instructed to install what appeared to be BTCBOX, an app for a Japanese cryptocurrency exchange,” Jagadeesh Chandraiah, a malware analyst at security firm Sophos wrote. “We also found fake sites that posed as the cryptocurrency mining firm BitFury peddling fake apps through TestFlight. We continue to look for other CryptoRom apps using the same approach.”
Wednesday’s post showed several of the images used in the CryptoRom campaign. iOS users who took the bait received a link that, when clicked, caused the TestFlight app to download and install the fake cryptocurrency app.
Chandraiah said that the TestFlight vector provides attackers with advantages not available with better-known App Store bypass techniques that also abuse legitimate Apple features. One such feature is Apple’s Super Signature platform, which allows people to use their Apple developer account to deliver apps on a limited ad hoc basis. The other feature is the company’s Developer Enterprise Program. It lets big organizations deploy proprietary apps for internal use without employees having to use the App Store. Both methods require scammers to pay money and clear other hurdles.
By contrast, Chandraiah said, TestFlight:
is cheaper to use than other schemes because all you need is an IPA file with a compiled app.The distribution is handled by someone else, and when (or if) the malware gets noticed and flagged, the malware developer can just move on to the next service and start again. [TestFlight] is preferred by malicious app developers in some instances over Super Signature or Enterprise Signature as it is a bit cheaper and looks more legitimate when distributed with the Apple Test Flight App. The review process is also believed to be less stringent than App Store review.
The post said the CryptoRom scammers are using a second Apple feature to disguise their activities. That feature—known as Web Clips—adds a webpage link directly to an iPhone home screen in the form of an icon that can be confused with a benign app. Web Clips appears after a user has saved a Web link.
The Sophos researcher said CryptoRom can use Web Clips to add clout to malicious URLs pushing fake apps. Here’s an icon for an app called RobinHand that’s designed to mimic the legitimate Robinhood trading app.
The CryptoRom scammers rely heavily on social engineering. They use a variety of ruses to build a relationship with targets even though they never meet face to face. Social networks, dating sites, and dating applications are among such ruses. In other cases, the scammers initiate relationships through “seemingly random WhatsApp messages offering the recipients investment and trading tips.”
The abuse of TestFlight and Web Clips is likely to be spotted by savvy Internet users, but less experienced people may get fooled. iOS users should remain cautious of any site, email, or message that instructs them to download apps from a source other than the official App Store. An Apple representative said this support page shows how to avoid and report scams. Apple has additional guidance here and here.