Pig-butchering scam apps sneak into Apple’s App Store and Google Play

In the past year, a new term has arisen to describe an online scam raking in millions, if not billions, of dollars per year. It’s called “pig butchering,” and now even Apple is getting fooled into participating.

Researchers from security firm Sophos said on Wednesday that they uncovered two apps available in the App Store that were part of an elaborate network of tools used to dupe people into putting large sums of money into fake investment scams. At least one of those apps also made it into Google Play, but that market is notorious for the number of malicious apps that bypass Google vetting. Sophos said this was the first time it had seen such apps in the App Store and that a previous app identified in these types of scams was a legitimate one that was later exploited by bad actors.

Pig butchering relies on a rich combination of apps, websites, web hosts, and humans—in some cases human trafficking victims—to build trust with a mark over a period of weeks or months, often under the guise of a romantic interest, financial adviser, or successful investor. Eventually, the online discussion will turn to investments, usually involving cryptocurrency, that the scammer claims to have earned huge sums of money from. The scammer then invites the victim to participate.

Once a mark deposits money, the scammers will initially allow them to make withdrawals. The scammers eventually lock the account and claim they need a deposit of as much as 20 percent of their balance to get it back. Even when the deposit is paid, the money isn’t returned, and the scammers invent new reasons the victim should send more money. The pig-butchering term derives from a farmer fattening up a hog months before it’s butchered.

Abusing trust in the App Store

Sophos said that it recently found two iOS listings in the App Store that were used for CryptoRom, a type of pig butchering that uses romantic overtures to build the confidence of its victims. The first was called Ace Pro and claimed to be an app for scanning QR codes.

The second app was MBM_BitScan, which billed itself as a real-time data tracker for cryptocurrencies. One victim Sophos tracked dumped about $4,000 into the app before realizing it was fake.

Apple is famous for its reputation—warranted or otherwise—for filtering out malicious apps before they end up in the App Store. Combined with detailed fake online profiles and elaborate backstories the scammers use to lure victims, the presence of the apps in the App Store made the ruse all the more convincing.

“If criminals can get past these checks, they have the potential to reach millions of devices,” Sophos researchers wrote. “This is what makes it more dangerous for CryptoRom victims, as most of those targets are more likely to trust the source if it comes from the official Apple App Store.”

Apple representatives didn’t respond to an email requesting an interview for this story. In a statement, which the representative provided on condition it be on background, the company said that one of the apps submitted provided QR scanning and the other cryptocurrency tracking. Once the bait-and-switch came to light, Apple removed them. The representative also cited a recent study that found the App Store stopped nearly $1.5 billion in fraudulent transactions in 2021 and prevented more than 1.6 million risky and untrustworthy apps and app updates from defrauding users that year.

Google PR also declined an interview but said in an email the company removed the app after receiving a heads-up from Sophos.

Ace Pro and MBM_BitScan circumvented Apple’s vetting process by using remote content downloaded from hardcoded web addresses to deliver their malicious functionality. When Apple was reviewing the apps, the sites likely delivered benign content. Eventually, that changed.

Ace Pro, for instance, started sending a request to the domain rest.apizza[.]net, which would then respond with content from acedealex[.]xyz, which would deliver the fake trading interface. MBN_BitScan reached out to a server hosted by Amazon, which in turn beckoned flyerbit8[.]com, a domain designed to look like the legitimate Bitcoin service bitFlyer.

The process looked something like this:

Diagram showing how app submissions bypassed vetting.
Enlarge / Diagram showing how app submissions bypassed vetting.

The fake interface gave the appearance of allowing users to deposit and withdraw money and field customer service requests in real time. To get the victims started, the scammers instructed them to transfer money into the Binance exchange and, from there, from Binance to the fake app.

 

Fake trading interface provided by Ace Pro.
Enlarge / Fake trading interface provided by Ace Pro.

 

Fake trading interface provided by MBM_BitScan.
Fake trading interface provided by MBM_BitScan.

Pre-written scripts, confiscated passports, and violence

The organizational structure of scammers is also elaborate. After emerging in China and Taiwan and experiencing success, Chinese authorities eventually cracked down. Some of the gangs fled to Cambodia and other small Southeast Asian countries.

Chinese law enforcement groups who have targeted CryptoRom scammers say the scammers mimic a corporate structure. At the top, there’s a head office that supervises the operation and launders proceeds. In the middle is a franchisee or affiliate that the head office contracts with. The franchisee oversees the next tier down. This tier includes a front desk for handling logistics such as human trafficking and site management, a technology team for running websites and apps, and a finance team for handling local finance operations.

At the bottom is keyboarders, which are the ones who do most of the interactions with victims.

The organizational structure of a pig-butchering enterprise.
Enlarge / The organizational structure of a pig-butchering enterprise.

Sophos researchers explained:

During COVID-19, many underdeveloped countries did not have jobs or sufficient social benefits to support those affected by economic disruptions. This pushed many young people into taking job offers in other countries’ special economic zones that promised high pay. Many of these were fraudulent job offers tied to pig-butchering rings; when workers arrived, they were transported to CryptoRom centers and had their passports confiscated.

Often, keyboarders are these trafficked victims, brought from countries like China, Malaysia and India with the promise of better-paid jobs. They are trained with pre-written scripts with instructions on how to interact, what to say to their victims, and how to bring them into investing. If they want to leave or do not follow the script, they are reportedly subjected to violence.

It’s easy to read the details of these scams and wonder how anyone could fall for them. Sophos and others say the victims who get taken in are often well-educated, some with PhDs. Some of the techniques responsible for success include the length of engagement the scammers have with the victims and the proof that an initial withdrawal is possible.

Combined with the emotional vulnerability of some victims, the rise of app-based finance, and the unwitting role played by companies like Apple and Google, these and other techniques have proven effective.