Fake mobile trading apps first appearing in both Google and Apple app stores and later on phishing sites are being used in a large-scale fraud campaign aimed at stealing money from victims.

The apps – referred to collectively by cybersecurity firm Group-IB as UniShadowTrade – lured targets using iOS and Android devices into funding bogus trading accounts and once enough money was placed in them, the scammers stole the money.

The scheme is typical of “pig butchering” scams but showed how bad actors are evolving their techniques, Andrey Polovinkin, team lead for Group-IB’s reverse research unit, wrote in a report this week. Typical mobile trojans contain the malware used to run the scam, the researcher wrote. However, these fraudulent apps didn’t contain malware – a move designed to help them bypass security protections. Instead, the bad actors created a legitimate trading platform to defraud victims.

“Cybercriminals continue to use trusted platforms such as the Apple Store or Google Play to distribute malware disguised as legitimate applications, exploiting users’ trust in secure ecosystems,” Polovinkin wrote. “The use of web-based applications further conceals the malicious activity and makes detection more difficult.”

Pig butchering scams involve bad actors spending weeks or months gaining the victim’s trust via online contact that first starts on social media, dating apps, or similar avenues. They often portray themselves as investment or trading advisers, eventually convincing the target to invest funds in some sort of scheme. The scam usually ends with the victim losing their investment and, sometimes, begin pressured to pay additional fees or taxes.

The name refers to the practice of fattening up a pig before butchering it.

In this case, the apps were built on the UniApp framework, which enables developers to create and run applications that can run on Android, iOS, or web browsers with a single code base. Polovinkin said there were few differences between the iOS and Android versions of the trading apps because its core functionality is web-based and delivered through a browser. The apps were available in Apple’s App Store and the Google Play store

“The application does not include functionality of classic mobile Trojan; its primary function is to open a Web View activity,” he wrote.

First in App Stores, Then on the Web

The fraudulent apps, first detected in May, initially were available via the app stores. Once they were removed, the scammers moved to distributing the app through phishing sites that offered downloads for both Android and iOS. The iOS version was named SBI-INT, while those for Android devices were named Finans Insights and Finans Trader6.

Those developed for Android were downloaded thousands of times.

“The first discovered application, distributed through the Apple App Store, functions as a downloader, merely retrieving and displaying a web-app URL,” Polovinkin wrote. “In contrast, the second application, downloaded from phishing websites, already contains the web-app within its assets.”

A Multi-Step Scam

The social engineering scam involves a range of steps victims must take. iOS users who hit the download button are met with a prompt asking for permission to install the app, but once the download is complete, the victims are asked to manually trust the developer profile. The app becomes operation after that is done.

The app is described as being designed for algebraic mathematical formulas and 3D graphics volume area calculations. Instead, after it’s launched, victims are asked to enter an invitation code to register within the application, which he wrote indicates that the scammers are targeting specific people rather than running a mass campaign.

After registering, the victims have to complete several steps, including uploading an ID card or passport, providing personal information and job-related details, and agreeing to terms and conditions. Then they’re instructed to fund their account.

The Money Disappears

“Once the deposit has been made, the cybercriminals take over and send further instructions, ultimately resulting in the theft of the victim’s funds,” Polovinkin wrote. “After a few seemingly successful trades, the victim is persuaded to invest more and more money. The account balance appears to grow rapidly. However, when the victim attempts to withdraw funds, they are unable to do so.”

The web application is built using JavaScript and include all the functionality of a legitimate trading account. There are account settings, forms for uploading bank cards and ID documents, transaction history, profit and loss, an IPO section, and a list of available stocks. It even offers hints not only in English but also Portuguese, Chinese, and Hindi and can mimic various crypto and trading platforms.

He wrote that the scasm “highlights the importance of vigilance and end-user education, even when dealing with seemingly trustworthy apps, and reinforces the need for continued review of app store submissions to prevent such scams from reaching unsuspecting victims.”