Scammers are using a network of fake apps to steal funds from crypto newbies

(Image credit: Shutterstock / rudall30)

Security researchers have identified a “stash” of more than 150 fake trading, banking and cryptocurrency apps designed to steal victims’ funds.

According to Sophos, the fraudulent iOS and Android apps all utilize a common server, suggesting a single cybercriminal group is responsible. This assumption is supported by commonalities in the design of the applications, as well as communications with the fake customer support team.

The attackers are said to have utilized various social engineering techniques to encourage people to install the malicious apps, even going as far as to build relationships with potential victims over dating services.

Here's our list of the best antivirus services right now
We've built a list of the best iOS antivirus services around
Check out our list of the best Android antivirus services out there

In one instance, the scam operators created a fake version of the App Store download page, in a bid to trick people into thinking the application originated from a trusted source.

Fake crypto apps

When the app download is triggered, the victim is served with what looks like a standard mobile application, often mimicking the branding of a popular financial service.

However, the icon is merely a shortcut that links to a fake landing page, where users are encouraged to enter financial credentials or trigger a cryptocurrency transaction, under the guise of topping up their account balance.

According to Sophos, if the victim later attempts to withdraw funds or close out their account, the operators simply block access.

To shield against attacks of this kind, Sophos says there are a few simple steps that all mobile users should take.

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play and Apple’s app store. Developers of popular apps often have a website, which directs users to the genuine app and, if they have the skills to do so, users should verify if the app they are about to install was created by its actual developer,” said Jagadeesh Chandraiah, Senior Threat Researcher at Sophos.

“Last, but not least, if something seems risky or too good to be true – such as high returns on investment or someone from a dating site asking you to transfer money or cryptocurrency assets into some ‘great’ account – then sadly it probably is.”

Here's our list of the best endpoint protection services

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.