What you need to know
- A new report says scammers used Apple's Developer Enterprise Program to steal $1.4 million.
- A scheme involved gaining the trust of victims through dating apps, then getting them to install fraudulent crypto apps.
- Sophos says the move has been used globally in Asia, the EU, and the U.S.
A new report says that scammers were able to dupe unsuspecting victims out of a total of $1.4 million by luring them into downloading fake cryptocurrency apps and investing money, using Apple's Developer Enterprise program for distribution.
A Sophos report published Wednesday notes a previous scam highlighted in May on both iOS and Android, confined at the time to victims in Asia. Now, Sophos says that the scam, which is has dubbed CryptoRom, has actually been used around the world, causing some iPhone users to lose thousands of dollars to crooks.
In our initial research, we discovered that the crooks behind these applications were targeting iOS users using Apple's ad hoc distribution method, through distribution operations known as "Super Signature services." As we expanded our search based on user-provided data and additional threat hunting, we also witnessed malicious apps tied to these scams on iOS leveraging configuration profiles that abuse Apple's Enterprise Signature distribution scheme to target victims.
Many of the stories of scams made the news, one UK victim in April reported losing £63,000 ($87,000) after 'falling in love' with a bitcoin scammer. Other stories state hackers stole massive amounts of money on multiple occasions.
The scam goes like this. Users are contacted by hustlers through fake profiles on sites including Facebook, but also dating apps like Tinder, Grindr, Bumble, and more. The conversation is moved to messaging apps where victims become familiar, luring the victim into a false sense of security. Soon, the topic of cryptocurrency investment comes up in conversation, and the victim is asked by the fraudster to install a crypto trading app to make an investment. The victim installs an app, invests, makes a profit, and is allowed to withdraw the money. Encouraged, they are then pushed to invest more to take advantage of a high-profit opportunity, however, once the larger sum has been deposited they are unable to withdraw it. The attacker then tells the victim to invest more or pay a tax, removing the money if they refuse.
Key to the scam seems to be the abuse of Apple's Enterprise Program, which lets the attackers bypass Apple's App Store review process to distribute fake apps:
Since then, in addition to the Super Signature scheme, we've seen scammers use the Apple Developer Enterprise program (Apple Enterprise/Corporate Signature) to distribute their fake applications. We have also observed crooks abusing the Apple Enterprise Signature to manage victims' devices remotely. Apple's Enterprise Signature program can be used to distribute apps without Apple App Store reviews, using an Enterprise Signature profile and a certificate. Apps signed with Enterprise certificates should be distributed within the organization for employees or application testers, and should not be used for distributing apps to consumers.
According to the report, the bitcoin address associated with the scam has been sent more than $1.39 million dollars to date, and that there are likely several more addresses associated with the hustle. The report says most of the victims are iPhone users who have been duped into downloading a Mobile Device Management profile from a fake website, effectively turning their iPhone into a "managed" device you might find in a business that can be controlled by someone else:
In this instance, the crooks wanted victims to visit the website with their device's browser again. When the site is visited after trusting the profile, the server prompts the user to install an app from a page that looks like Apple's App Store, complete with fake reviews. The installed app is a fake version of the Bitfinex cryptocurrency trading application.
The report says that CryptoRom bypasses all of the App Store's safety screening and that it remains active with new victims every day. It also says that Apple "should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple."