The researchers from Sophos declared that they received a tip-off relating to a fake mobile trading app, this tip leading to the discovery of a server containing “hundreds” of malicious trading, banking, foreign exchange, and cryptocurrency apps designed for the Android and iOS platforms.

In the current context, mobility has made stock trading and investment opportunities widely available and extremely accessible, therefore users are now choosing to handle by themselves any investments.

With social media channels becoming the place for stock chat, trading tips, and cryptocurrency, more and more people are falling into the malicious trap set by the attackers.

The ease of downloading a mobile application with the help of which you’ll be able to explore investment opportunities has created a perfect scenario that malicious cybercriminals can easily exploit.

The apps found by the researchers included counterfeit software created to impersonate trusted brands like Barclays, Gemini, Kraken, TDBank, and Binance, for each of the operators having created dedicated websites linked to each individual app that was tailored to appear just as the impersonated organization.

Attackers are changing the way in which they operate, therefore rather than relying on mass spam emails or phishing, they are now taking a more personal approach and are also trying to create a relationship with their victim with the sole purpose of offering a form of time-sensitive financial opportunity to them.

Once the potential victim does what the attackers want and downloads a malicious app or visits a fake website and provides their details, the victim will be lured into opening an account or cryptocurrency wallet and transferring funds.

The apps discovered on the server were pushed through the same infrastructure and through a “Super Signature process” which was abused in order to bypass security protections and mechanisms used by official app repositories.

Heimdal™ Threat Prevention Home makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Heimdal™ Threat Prevention Home anti malware and ransomware protection
Heimdal™ Threat Prevention Home provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Try it FREE

30-day Free Trial

For iOS, the process that is designed for small app developers to conduct legitimate test deployments before the submission is requiring a target device to download and install a manifest file in order to accept the package. After this step is completed the device’s ID is sent to a registered developer account and an .IPA package that contains the app is pushed to the user for download.

While many of these Super Signature developer services may be targeted at helping legitimate small app developers, we found in our investigation that the malware used many such third-party commercial app distribution services.

These services offered options for ‘One-click upload of App Installation’ where you just need to provide the IPA file. They advertise themselves as an alternative to the iOS App Store, handling app distribution and registration of devices.


When discussing Android apps, users are asked to install and launch an app, create an account, and then start trading.

We believe the ID details could have been used to legitimize financial transactions and receipts by the crooks as a confirmation about the deposits from the victims.

We also found several profile pictures of attractive people likely used for creating fake dating profiles, which suggests that dating could have been used as a bait to lure victims.


The apps appear as being real, but the wallets are either controlled by cybercriminals, or the funds required to start trading are requested to be sent to bank accounts from Hong Kong, as Asia is primarily being targeted by the network.

How to Spot and Prevent Apple ID Phishing Scams

Android Malware: Your Mobile Device Isn’t Safe from Hackers

Leave a Reply

Your email address will not be published. Required fields are marked *