UniShadowTrade

A widespread fraud operation has utilized counterfeit trading programs on the Apple App Store and Google Play Store, along with phishing websites, to deceive victims. This scheme is part of a broader consumer investment fraud tactic, where potential targets are drawn into investing in cryptocurrencies or other financial products after establishing trust through pretense—either as a romantic partner or an investment advisor.

These deceptive and manipulative tactics frequently result in victims losing their investments, and in some instances, they may be pressured into paying additional fees or costs. Cybersecurity experts indicate that this fraudulent campaign spans multiple regions, with victims reported in the Asia-Pacific, Europe, the Middle East and Africa. The fraudulent applications, developed using the UniApp Framework, are collectively referred to as UniShadowTrade.

The Operation Has been Active for Quite a While

The activity cluster is reported to have been operational since at least mid-2023, enticing victims with unsafe applications that promise rapid financial returns. A significant concern is that one of these apps managed to bypass Apple's App Store review process, creating a false sense of legitimacy and trust. The application, named SBI-INT, has since been removed from the marketplace but initially posed as software for 'commonly used algebraic mathematical formulas and 3D graphics volume area calculation.'

It is believed that the cybercriminals achieved this by implementing a check within the application's source code to determine if the current date and time were before July 22, 2024, 00:00:00. If so, the app would display a deceptive screen filled with formulas and graphics. After the app was taken down a few weeks post-launch, the threat actors reportedly shifted their focus to distributing the app through phishing websites for both Android and iOS platforms.

How these Harmful Applications Operate

For iOS users, clicking the download button initiates the download of a .plist file, which prompts the system to request permission to install the application. However, after the download is finished, the applicationcannot be immediately launched. Cybercriminals then instruct the victim to trust the Enterprise developer profile manually. Once this step is completed, the fraudulent application can be activated.

Users who proceed to install and open the application are greeted by a login page that requests their phone number and password. The registration process includes entering an invitation code, indicating that the attackers are focusing on specific targets to execute their tactic.

Upon successful registration, victims enter a six-step attack sequence. They are pressured to submit identity documents as verification, personal details, and current employment information. They are then asked to agree to the service's terms and conditions to proceed with their investments.

After making a deposit, the cybercriminals provide additional instructions on which financial instruments to invest in, often claiming high potential returns. To perpetuate the deception, the application is manipulated to display the victims' investments as if they are generating profits.

Severe Consequences of Falling for the Tactic

Problems arise when the victim tries to withdraw their funds, at which point they are prompted to pay additional fees to recover their initial investments and supposed profits. In reality, the funds have been collected and redirected to accounts controlled by the attackers.

Another innovative tactic employed by the malware creators involves embedding a configuration that specifies the URL hosting the login page and other details of the fake trading application within the application. This configuration is hosted on a URL linked to a legitimate service called TermsFeed, which provides compliance software for generating privacy policies, terms and conditions and cookie consent banners.

The first application identified, distributed through the Apple App Store, functions as a downloader that merely retrieves and displays a Web-app URL. In contrast, the second application, obtained from phishing websites, already contains the web app within its assets.

Researchers note that this method is a strategic choice by the threat actors, designed to reduce the likelihood of detection and avoid triggering alarms when the app is distributed via the App Store.

Android Users were also at Risk

Cybersecurity experts also identified a fraudulent stock investment application on the Google Play Store named FINANS INSIGHTS (com.finans.insights). Another application associated with the same developer, Ueaida Wabi, is FINANS TRADER6 (com.finans.trader).

Although both Android applications are currently inactive on the Play Store, they were downloaded fewer than 5,000 times. FINANS INSIGHTS primarily targeted users in Japan, South Korea, and Cambodia, while FINANS TRADER6 was mainly available in Thailand, Japan and Cyprus.

Be Skeptical of Unexpected Messages

Users are urged to be cautious when clicking on links and to avoid responding to unsolicited messages from unfamiliar individuals on social media and dating platforms. It's essential to verify the legitimacy of investment platforms and to carefully examine apps, including their publishers, ratings, and user reviews, before downloading.

Cybercriminals continue to exploit trusted platforms like the Apple App Store and Google Play to spread malware disguised as legitimate applications, taking advantage of users' confidence in these secure environments. Victims are attracted by promises of quick financial gains, only to discover that they cannot withdraw their funds after making substantial investments. The use of Web-based applications further obscures the unsafe activity, making detection even more challenging.