• Home
  • /
  • Malware
  • /
  • Fake Android and iOS apps disguised as trading, crypto-currency apps

Fake Android and iOS apps disguised as trading, crypto-currency apps

Johannesburg, 08 Jun 2021
Read time 4min 20sec

Sophos was recently tipped off to a fraudulent mobile trading application that masqueraded as one tied to a well-known Asia-based trading company. As they investigated, they uncovered several other counterfeit versions of popular crypto-currency trading, stock trading and banking apps on iOS and Android, all designed to steal from those fooled into using them.

These fraudulent applications are aimed at exploiting the increased interest in trading apps, driven by the recent significant rise in the value of crypto-currencies and interest in low-cost or free stock trading driven by stories like that of the recent social media driven speculation in GameStop stock.

In some cases, the schemes to distribute these applications leveraged social engineering through dating sites to lure in victims, and Web sites designed to look like those belonging to legitimate companies. These Web sites forwarded victims to third-party sites that delivered iOS mobile applications via configuration management schemes, iOS mobile device management payloads carrying ‘Web Clips’, or Android apps, depending on the device used.

“During investigation of one of the apps, Sophos encountered a server which was hosting hundreds of fake trading, banking, foreign exchange and crypto-currency apps. Among them were counterfeit apps impersonating major financial firms and popular crypto-currency trading platforms, including Barclays, Gemini, Bitwala, Kraken, Binance, BitcoinHK, Bittrex, BitFlyer and TDBank. Each of these fake apps had a dedicated Web site tailored to the impersonated brand to better fool potential victims,” says Ross Anderson, Sophos Product Development Manager at Duxbury Networking.

Sophos’ research began when the company was asked to investigate an application by a user who fell victim to a scam. According to the victim, the initial contact with the actors behind the app came through a social media and dating site.

The scammers befriended the victim, and shifted communications to a messaging app. They avoid requests for face-to-face meetings, citing the COVID-19 pandemic. After gaining trust, they then convinced the victim to download a crypto-currency trading app, sending the victim a link. The link was to a page impersonating a Hong Kong-based trading and investment company called Goldenway Group. The page had options to download both iOS and Android apps.

The scammers then walked the victim through the installation and encouraged the victim to buy crypto-currency and transfer into their wallet. When the victim asked to withdraw the crypto-currency, the scammers behind the fake persona at first started making excuses, and then finally blocked the victim’s account – with all the purchased crypto-currency in the scammers’ possession.

As Sophos investigated the fraudulent Goldenway app, they discovered the scheme was much more wide-ranging. They found hundreds of fake trading apps being pushed through the same infrastructure, each disguised to look like the official trading apps of different financial organisations.

“Some of the fake trading apps Sophos looked at had an interface with trading updates, wallets, fund and crypto-currency deposit and withdrawal features that appeared to function just like their legitimate counterparts. The main difference, however, was that any transaction went into the pockets of the crooks instead,” says Anderson.

“Innocent people tend to put trust in things that are presented by someone they think they know. And since these fake applications impersonate well-known apps from all over the world, the fraud is that much more believable. If something seems too good to be true – promised high returns on investments, or professional-looking dating profiles asking to transfer money or crypto assets – it’s likely a scam,” he adds.

To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play and Apple’s app store. Developers of popular apps often have a Web site, which directs the users to the genuine app. Users should verify if the app was developed by its genuine developer. “We also advise users to consider installing an anti-virus app on their mobile device, such as Sophos Intercept X for Mobile, which defends their device and data from such threats,” says Anderson.

The distribution scheme used in these fraud campaigns poses a larger threat. The Super Signature process can be abused by crooks to install additional malware in a targeted way on vulnerable users’ devices. This threat could (and should) be mitigated by Apple, which could stop abuse of third-party app distribution by alerting users when Super Signature distribution is used to install apps, or when such ad-hoc distributed apps are in use on the device.

Sophos detects these apps as Andr/FakeApp-DC, iPh/FakeApp-DD and iPh/FakeApp-DE. A full list of IOCs associated with the apps in this campaign is available on Sophos’ GitHub page.

For more information, contact Duxbury Networking, (+27) 011 351 9800,,

Editorial contacts
Write Here Allyson Koekhoven
Duxbury Networking Alzira Queiroz (+27) 011 351 9800
See also