Thanks to two new iOS features, cyber criminals have come up with new ways to use CryptoRom malware to steal from people: by getting dating app users to download phony investment apps.

Understanding CryptoRom

Over the last year, CryptoRom has been “combining catfishing with crypto-scamming” to swindle lonely hearts out of millions. According to IT Security company Sophos, the cyber attackers created false accounts on popular dating apps such as Tinder and Bumble, then proceeded to message their profile matches, eventually discussing how they had been making money with the help of their new “investment” apps. A researcher stated:

“Once the victim becomes familiar, they ask them to install fake trading applications with legitimate looking domains and customer support… They move the conversation to investment and ask them to invest a small amount, and even let them withdraw that money with profit as bait…  After this, they will be told to buy various financial products or asked to invest in special ‘profitable’ trading events. The new friend even lends some money into the fake app, to make the victim believe they’re real and caring. When the victim wants their money back or gets suspicious, they get locked out of the account.”

Some victims have reported being duped into investing as much as $1 million into one of the fake apps.    

How TestFlight and Webclips are enabling increased attacks

By utilizing two new iOS features, TestFlight and Webclips, the CryptoRom malware attackers can easily create fake apps that imitate the styles of actual investment applications, helping convince people of their authenticity.

For example, Apple created TestFlight to allow developers to create and share nearly-finalized apps so that they can be beta-tested prior to their public release. The vetting process for apps in TestFlight is far more lenient than the process imposed in the official Apple App Store, but TestFlight apps appear as legitimate as official ones, and even in their testing mode, they can be downloaded up to 10,000 times! In addition to TestFlight, WebClips is also adding another layer of realism to the scheme, as the researchers shared:

“CryptoRom attackers have [also] been using WebClips, a feature that allows web links to be added to the iOS home screen like regular apps.”

Using “malicious WebClips,” attackers can “mimic real apps,” such as the RobinHood investment app.

“In addition to App Store pages, all these fake pages also had linked websites with similar templates to convince users… This shows how cheap and easy it is to mimic popular brands while siphoning thousands of dollars from victims.”

Just like people, apps can be posers too. So for the dating-app minded among you, if your match starts mentioning investing, run – and don’t look back.