Android allows users to "sideload" apps from third-party markets. But on iPhone, that is effectively impossible.
Apple has long required apps to pass a thorough security review, before the apps can be admitted to the official iOS App Store. The strict vetting is meant to prevent malicious apps from making their way onto users' devices.
However, there is one way where apps can be installed on users' phones, without having to undergo the strict vetting process.
And that is through Apple's TestFlight program.
Meant for developers, TestFlight allows people to beta test apps.
By first installing the TestFlight app from the app store, any iOS users can download and install apps that have yet to pass Apple's vetting process.
And this time, hackers are seeing that as an Apple's weakness.
According to Sophos in a report, an organized hacking campaign, which goes by the name of 'CryptoRom', scammers realize that users of TestFlight can download unvetted apps, and can also invite up to 10,000 other testers using their email address or by sharing a public link.
Moreover, because the scammers know that unvetted apps don't go through the review process, they too know that Apple does not really care about malicious things that can happen inside those apps.
"Some of the victims who contacted us reported that they had been instructed to install what appeared to be BTCBOX, an app for a Japanese cryptocurrency exchange," as explained by Jagadeesh Chandraiah, a malware analyst at security firm Sophos wrote. "We also found fake sites that posed as the cryptocurrency mining firm BitFury peddling fake apps through TestFlight. We continue to look for other CryptoRom apps using the same approach."
In addition to using TestFlight, the scammers are also using web apps to promote their malicious cryptocurrency apps.
To do this, the scammers are able to plant their malware by making users install web apps through Safari's 'Add to home screen' option.
On the report, Sophos detailed how people who received a link from the scammer, and clicked on it, caused the TestFlight app to download and install the fake cryptocurrency app.
But what makes this scam unique is that, it utilizes everything from romance-centered social engineering to fraudulent financial apps and websites to ensnare victims and steal their savings after gaining their confidence.
According to Sophos, this style of cyber-fraud is known as sha zhu pan (杀猪盘), or “pig butchering plate."
It's a well-organized, syndicated scam operation that can trick victims into doing whatever the malicious actors want, without requiring in-person interaction.
"This threat is still very active, and continues to impact victims around the world, in some cases costing them their life savings," the post explained.
CryptoRom scams can be traced back to 2021.
It's only this time, that the scammers start utilizing Apple's Enterprise Developer program as their method of attack.
"Since our initial report, we have been contacted by victims of CryptoRom scams from around the world. Many of them provided details of the scams that allowed us to collect samples and other threat data. Most also reported that they had lost thousands of dollars in personal savings to the crooks behind the scams, though some saw our previous reports and recognized the scam before being drawn into it too deeply. In some cases, victims have lost their entire savings and even taken out loans with the hope that they will get their money back," the report said.
Making things even more saddening, CryptoRom victims are frequently desperate to find a way to get their money back after they realize they’ve been scammed.
But because of the nature of cryptocurrency and the fact that cross-border foreign transactions are involved, it is extremely difficult to recover any lost funds through any means.
Because desperate times calls for desperate measures, some of those people would do anything to even get a fraction of what they've lost.
And this is where those people can fall to a different sort of scam.
On the web, there are a number of scams that pose as cryptocurrency recovery services, and many of those services have tailored their scams to specifically target CryptoRom victims.
"We’ve found a number of offerings for these services on the web via responses in discussion groups and social media; many of the messages are typo-laden. The vast majority of these services are fake, and it is highly unlikely that any service would be able to get victims’ money back," said Sophos.
"These scams are well-organized, and skilled in identifying and exploiting vulnerable users based on their situation, interests, and level of technical ability. Those who get pulled into the scam have lost tens of thousands of dollars."
"SophosLabs has reported all of the CryptoRom-related websites and apps to Apple and Google, but the only long-term fix to prevent these scams is a collective response."
The company suggests that social media companies should alert users about these kind of scams, and should spot patterns and remove fake profiles committing this fraud.
And as for both Apple and Google, the two companies should alert users whenever users install apps that are not official sources.