Orch Lawson | Getty Images
In the past year, a new term has arisen to describe an online scam raking in millions, if not billions, of dollars each year. It’s called “pig butchering” and now even Apple is being fooled into participating.
Researchers at security firm Sophos said on Wednesday they uncovered two apps available in the App Store that were part of a wider network of tools used to trick people into putting large sums of money into fake investment scams. was At least one of these apps even made it into Google Play, but that market is notorious for the number of malicious apps that bypass Google’s vetting. Sophos said it was the first time it had seen such apps in the App Store and that a previous app identified in these types of scams was a legitimate one that was later exploited by bad actors.
Pig Massacre relies on a rich combination of apps, websites, web hosts, and humans—in some cases victims of human trafficking—to build trust over a period of weeks or months, often under the guise of romantic interest, financial aid. Advisor, or successful investor. Eventually, the online discussion will turn to investments, usually involving cryptocurrency, from which the scammer claims to have made large sums of money. The scammer then invites the victim to participate.
Once a sign deposits money, fraudsters will initially allow them to withdraw money. Fraudsters eventually lock the account and claim they need to deposit up to 20 percent of their balance to get it back. Even when the deposit is paid, the money is not returned, and fraudsters invent new reasons why the victim should send more money. The term pig butcher is derived from a farmer who fattens a hog months before it is slaughtered.
Abuse of trust in the App Store
Sophos said it recently found two iOS listings in the App Store that were used for Cryptoroom, a type of pork butchery that uses romance to instill the trust of its victims. The first was called Ace Pro and it claimed to be an app for scanning QR codes.
The second app was MBM_BitScan, which billed itself as a real-time data tracker for cryptocurrencies. One Sophos victim dumped nearly $4,000 into the app before realizing it was fake.
Apple is known for its reputation—necessary or otherwise—for filtering out targeted apps before they end up in the App Store. Coupled with the elaborate fake online profiles and detailed backstories fraudsters use to lure victims, the app’s presence in the App Store made the fallacy even more believable.
“If criminals can get past these checks, they have the potential to access millions of devices,” the Sophos researchers wrote. “This is what makes it more dangerous for victims of cryptorome, as most of these targets are more likely to trust the source if it comes from the official Apple App Store.”
Apple representatives did not respond to an email requesting an interview for this story. Google PR also declined an interview but said in an email that the company removed the app after getting a heads-up from Sophos.
Ace Pro and MBM_BitScan bypass Apple’s testing process by using remote content downloaded from hard-coded web addresses to provide their malicious functionality. When Apple was reviewing apps, the sites provided potentially benign content. Eventually, that changed.
For example, Ace Pro starts sending requests to the rest.apizza domain.[.]net, which will then respond with the contents of acedealex.[.]xyz, which will provide a fake trading interface. MBN_BitScan reached a server hosted by Amazon, which in turn pointed to flyerbit8.[.]com, a domain designed to look like legitimate Bitcoin service bitFlyer.
The process looked something like this:
The fake interface allowed users to make real-time deposits and withdrawals and field customer service requests. To get victims started, fraudsters instruct them to transfer money to the Binance exchange and from there transfer money from Binance to the fake app.
Fake trading interface provided by MBM_BitScan.