According to Sophos, the fraudulent iOS and Android apps all utilize a common server, suggesting a single cybercriminal group is responsible. This assumption is supported by commonalities in the design of the applications, as well as communications with the fake customer support team.
The attackers are said to have utilized various social engineering techniques to encourage people to install the malicious apps, even going as far as to build relationships with potential victims over dating services.
- Here's our list of the best antivirus services right now
- We've built a list of the best iOS antivirus services around
- Check out our list of the best Android antivirus services out there
In one instance, the scam operators created a fake version of the App Store download page, in a bid to trick people into thinking the application originated from a trusted source.
Fake crypto apps
When the app download is triggered, the victim is served with what looks like a standard mobile application, often mimicking the branding of a popular financial service.
However, the icon is merely a shortcut that links to a fake landing page, where users are encouraged to enter financial credentials or trigger a cryptocurrency transaction, under the guise of topping up their account balance.
According to Sophos, if the victim later attempts to withdraw funds or close out their account, the operators simply block access.
To shield against attacks of this kind, Sophos says there are a few simple steps that all mobile users should take.
“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play and Apple’s app store. Developers of popular apps often have a website, which directs users to the genuine app and, if they have the skills to do so, users should verify if the app they are about to install was created by its actual developer,” said Jagadeesh Chandraiah, Senior Threat Researcher at Sophos.
“Last, but not least, if something seems risky or too good to be true – such as high returns on investment or someone from a dating site asking you to transfer money or cryptocurrency assets into some ‘great’ account – then sadly it probably is.”
- Here's our list of the best endpoint protection services