CINXE.COM

<!DOCTYPE html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="http://gmpg.org/xfn/11"> <link rel="pingback" href="https://news.sophos.com/xmlrpc.php"> <link rel="alternate" hreflang="es-419" href="https://news.sophos.com/es-419/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores" /> <link rel="alternate" hreflang="nl-nl" href="https://news.sophos.com/nl-nl/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores" /> <link rel="alternate" hreflang="pt-br" href="https://news.sophos.com/pt-br/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores" /> <link rel="alternate" hreflang="de-de" href="https://news.sophos.com/de-de/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores" /> <link rel="alternate" hreflang="en-us" href="https://news.sophos.com/en-us/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores" /> <link rel="alternate" hreflang="fr-fr" href="https://news.sophos.com/fr-fr/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores" /> <link rel="alternate" hreflang="es-es" href="https://news.sophos.com/es-es/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores" /> <link rel="alternate" hreflang="it-it" href="https://news.sophos.com/it-it/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores" /> <link rel="alternate" hreflang="ja-jp" href="https://news.sophos.com/ja-jp/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores" /> <link rel="alternate" hreflang="zh-tw" href="https://news.sophos.com/zh-tw/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores" />  <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-TW8W88B');</script>  <script type="text/javascript"> /* <![CDATA[ */ (()=>{var e={};e.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),function({ampUrl:n,isCustomizePreview:t,isAmpDevMode:r,noampQueryVarName:o,noampQueryVarValue:s,disabledStorageKey:i,mobileUserAgents:a,regexRegex:c}){if("undefined"==typeof sessionStorage)return;const d=new RegExp(c);if(!a.some((e=>{const n=e.match(d);return!(!n||!new RegExp(n[1],n[2]).test(navigator.userAgent))||navigator.userAgent.includes(e)})))return;e.g.addEventListener("DOMContentLoaded",(()=>{const e=document.getElementById("amp-mobile-version-switcher");if(!e)return;e.hidden=!1;const n=e.querySelector("a[href]");n&&n.addEventListener("click",(()=>{sessionStorage.removeItem(i)}))}));const g=r&&["paired-browsing-non-amp","paired-browsing-amp"].includes(window.name);if(sessionStorage.getItem(i)||t||g)return;const u=new URL(location.href),m=new URL(n);m.hash=u.hash,u.searchParams.has(o)&&s===u.searchParams.get(o)?sessionStorage.setItem(i,"1"):m.href!==u.href&&(window.stop(),location.replace(m.href))}({"ampUrl":"https:\/\/news.sophos.com\/en-us\/2023\/02\/01\/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores\/?amp=1","noampQueryVarName":"noamp","noampQueryVarValue":"mobile","disabledStorageKey":"amp_mobile_redirect_disabled","mobileUserAgents":["Mobile","Android","Silk\/","Kindle","BlackBerry","Opera Mini","Opera Mobi"],"regexRegex":"^\\\/((?:.|\\n)+)\\\/([i]*)$","isCustomizePreview":false,"isAmpDevMode":false})})(); /* ]]> */ </script> <title>Fraudulent “CryptoRom” trading apps sneak into Apple and Google app stores – Sophos News</title> <meta name='robots' content='max-image-preview:large' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>  <meta name="google-site-verification" content="8r1qg681OjOolfxmHEY1IYupmTBdyKXc-OPfpgeQHFk" /> <link rel='dns-prefetch' href='//unpkg.com' /> <link rel='dns-prefetch' href='//stats.wp.com' /> <link rel='dns-prefetch' href='//v0.wordpress.com' /> <link rel="alternate" type="application/rss+xml" title="Sophos News » Feed" href="https://news.sophos.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Sophos News » Comments Feed" href="https://news.sophos.com/comments/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/news.sophos.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='all-css-2' href='https://news.sophos.com/wp-includes/css/dist/block-library/style.min.css?m=1732206022g' type='text/css' media='all' /> <style id='safe-svg-svg-icon-style-inline-css'> .safe-svg-cover{text-align:center}.safe-svg-cover .safe-svg-inside{display:inline-block;max-width:100%}.safe-svg-cover svg{height:100%;max-height:100%;max-width:100%;width:100%} </style> <link rel='stylesheet' id='all-css-6' href='https://news.sophos.com/_static/??-eJzTLy/QzcxLzilNSS3WzyrWz01NyUxMzUnNTc0rQeEU5CRWphbp5qSmJyZX6uVm5uklFxfr6OPTDpRD5sM02efaGpobGxkZmBkYGQMARIMu1Q==' type='text/css' media='all' /> <style id='jetpack-sharing-buttons-style-inline-css'> .jetpack-sharing-buttons__services-list{display:flex;flex-direction:row;flex-wrap:wrap;gap:0;list-style-type:none;margin:5px;padding:0}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px}@media print{.jetpack-sharing-buttons__services-list{display:none!important}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;padding-inline-start:0}ul.jetpack-sharing-buttons__services-list.has-background{padding:1.25em 2.375em} </style> <style id='co-authors-plus-coauthors-style-inline-css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='elasticpress-facet-style-inline-css'> .widget_ep-facet input[type=search],.wp-block-elasticpress-facet input[type=search]{margin-bottom:1rem}.widget_ep-facet .searchable .inner,.wp-block-elasticpress-facet .searchable .inner{max-height:20em;overflow:scroll}.widget_ep-facet .term.hide,.wp-block-elasticpress-facet .term.hide{display:none}.widget_ep-facet .empty-term,.wp-block-elasticpress-facet .empty-term{opacity:.5;position:relative}.widget_ep-facet .empty-term:after,.wp-block-elasticpress-facet .empty-term:after{bottom:0;content:" ";display:block;left:0;position:absolute;right:0;top:0;width:100%;z-index:2}.widget_ep-facet .level-1,.wp-block-elasticpress-facet .level-1{padding-left:20px}.widget_ep-facet .level-2,.wp-block-elasticpress-facet .level-2{padding-left:40px}.widget_ep-facet .level-3,.wp-block-elasticpress-facet .level-3{padding-left:60px}.widget_ep-facet .level-4,.wp-block-elasticpress-facet .level-4{padding-left:5pc}.widget_ep-facet .level-5,.wp-block-elasticpress-facet .level-5{padding-left:75pt}.widget_ep-facet input[disabled],.wp-block-elasticpress-facet input[disabled]{cursor:pointer;opacity:1}.widget_ep-facet .term a,.wp-block-elasticpress-facet .term a{-webkit-box-align:center;-ms-flex-align:center;align-items:center;display:-webkit-box;display:-ms-flexbox;display:flex;position:relative}.widget_ep-facet .term a:hover .ep-checkbox,.wp-block-elasticpress-facet .term a:hover .ep-checkbox{background-color:#ccc}.ep-checkbox{-webkit-box-align:center;-ms-flex-align:center;-ms-flex-negative:0;-webkit-box-pack:center;-ms-flex-pack:center;align-items:center;background-color:#eee;display:-webkit-box;display:-ms-flexbox;display:flex;flex-shrink:0;height:1em;justify-content:center;margin-right:.25em;width:1em}.ep-checkbox:after{border:solid #fff;border-width:0 .125em .125em 0;content:"";display:none;height:.5em;-webkit-transform:rotate(45deg);transform:rotate(45deg);width:.25em}.ep-checkbox.checked{background-color:#5e5e5e}.ep-checkbox.checked:after{display:block} </style> <link rel='stylesheet' id='all-css-18' href='https://news.sophos.com/wp-content/mu-plugins/search/elasticpress/dist/css/related-posts-block-styles.min.css?m=1730999764g' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='all-css-22' href='https://news.sophos.com/wp-content/themes/sophosnews-2017/style-2021.css?m=1722941894g' type='text/css' media='all' /> <script type="text/javascript" src="https://news.sophos.com/_static/??-eJzTLy/QzcxLzilNSS3WzwKiwtLUokoopZebmaeXVayjj0+Rbm5melFiSSpUsX2uraG5sZGRgZmBkXEWAK8tIhI=" ></script><link rel="https://api.w.org/" href="https://news.sophos.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://news.sophos.com/wp-json/wp/v2/posts/87362" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://news.sophos.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.1" /> <link rel="canonical" href="https://news.sophos.com/en-us/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores/" /> <link rel='shortlink' href='https://news.sophos.com/?p=87362' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://news.sophos.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fnews.sophos.com%2Fen-us%2F2023%2F02%2F01%2Ffraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://news.sophos.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fnews.sophos.com%2Fen-us%2F2023%2F02%2F01%2Ffraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores%2F&format=xml" /> <link rel="me" href="https://infosec.exchange/@SophosXOps"/> <link rel="alternate" type="text/html" media="only screen and (max-width: 640px)" href="https://news.sophos.com/en-us/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores/?amp=1"> <style>img#wpstats{display:none}</style> <link rel="amphtml" href="https://news.sophos.com/en-us/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores/?amp=1"><style>#amp-mobile-version-switcher{left:0;position:absolute;width:100%;z-index:100}#amp-mobile-version-switcher>a{background-color:#444;border:0;color:#eaeaea;display:block;font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen-Sans,Ubuntu,Cantarell,Helvetica Neue,sans-serif;font-size:16px;font-weight:600;padding:15px 0;text-align:center;-webkit-text-decoration:none;text-decoration:none}#amp-mobile-version-switcher>a:active,#amp-mobile-version-switcher>a:focus,#amp-mobile-version-switcher>a:hover{-webkit-text-decoration:underline;text-decoration:underline}</style>  <meta property="og:type" content="article" /> <meta property="og:title" content="Fraudulent “CryptoRom” trading apps sneak into Apple and Google app stores" /> <meta property="og:url" content="https://news.sophos.com/en-us/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores/" /> <meta property="og:description" content="Using changing remote content, apps slide by official review process to deliver fraud through the Apple App Store and Google Play Store." /> <meta property="article:published_time" content="2023-02-01T11:00:48+00:00" /> <meta property="article:modified_time" content="2024-11-21T20:29:46+00:00" /> <meta property="og:site_name" content="Sophos News" /> <meta property="og:image" content="https://news.sophos.com/wp-content/uploads/2023/02/shutterstock_1547820455.jpg?w=640" /> <meta property="og:image:secure_url" content="https://news.sophos.com/wp-content/uploads/2023/02/shutterstock_1547820455.jpg?w=640" /> <meta property="og:image:width" content="640" /> <meta property="og:image:height" content="427" /> <meta property="og:image:alt" content="" /> <meta property="og:locale" content="en_US" /> <meta property="fb:admins" content="28552295016" /> <meta name="twitter:text:title" content="Fraudulent “CryptoRom” trading apps sneak into Apple and Google app stores" /> <meta name="twitter:image" content="https://news.sophos.com/wp-content/uploads/2023/02/shutterstock_1547820455.jpg?w=640" /> <meta name="twitter:card" content="summary_large_image" />  <link rel="icon" href="https://news.sophos.com/wp-content/uploads/2020/01/cropped-sophos.png?w=32" sizes="32x32" /> <link rel="icon" href="https://news.sophos.com/wp-content/uploads/2020/01/cropped-sophos.png?w=192" sizes="192x192" /> <link rel="apple-touch-icon" href="https://news.sophos.com/wp-content/uploads/2020/01/cropped-sophos.png?w=180" /> <meta name="msapplication-TileImage" content="https://news.sophos.com/wp-content/uploads/2020/01/cropped-sophos.png?w=270" /> <style type="text/css" id="wp-custom-css"> .entry-content .embed-vimeo iframe, .entry-content .embed-youtube iframe { aspect-ratio: 16/9; width: 100%; height: auto; } </style> </head> <body class="post-template-default single single-post postid-87362 single-format-standard group-blog">  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TW8W88B" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>  <div id="page" class="hfeed site"> <a class="sr-only" href="#content">Skip to content</a> <header class="bg-blue-600" x-data="{ mobileMenu: false, searchField: false }"> <div class="container"> <div class="flex items-center justify-between h-16">  <div class="flex-shrink-0"> <a class="site-logo" href="https://news.sophos.com/en-us/" rel="home"> <svg width="172" height="17" xmlns="http://www.w3.org/2000/svg"> <g fill="#FFF" fill-rule="evenodd"> <path d="M113.024 5.298V16.74h-2.595V.259h2.265l7.997 11.49V.26h2.619v16.482h-2.289l-7.997-11.443M126.064.259h10.78v2.307H128.8v4.521h7.549v2.214h-7.55v5.133h8.376v2.307h-11.111V.259M138.478.259h2.855l2.694 12.29L147.29.26h2.783l3.61 12.314L156.005.26h2.783l-3.62 16.482h-2.76l-3.751-12.126-3.426 12.126h-2.784L138.478.259M168.933 4.968v-.283c0-1.318-.778-2.425-3.492-2.425-2.43 0-3.279 1.013-3.279 2.284 0 1.201.708 1.743 2.218 2.073l3.491.776c2.123.448 4.129 1.602 4.129 4.333 0 3.014-1.675 5.274-6.204 5.274-5.214 0-6.559-2.26-6.559-4.52v-.307h2.737v.26c0 1.2.755 2.284 3.774 2.284 2.5 0 3.421-1.084 3.421-2.638 0-1.224-.731-1.907-2.289-2.237l-3.49-.777c-2.407-.517-3.917-1.742-3.917-4.309 0-2.566 1.77-4.756 6.016-4.756 4.553 0 6.18 2.26 6.18 4.639v.33h-2.736M85.303 16.718h8.88c2.492 0 3.549-.15 4.379-.677 1.308-.803 2.139-2.378 2.139-4.162 0-1.457-.504-2.868-1.258-3.622-.981-1.006-2.316-1.382-4.783-1.382h-2.693c-1.208 0-2.097-.05-2.6-.276-.605-.277-.956-.81-.956-1.562 0-.88.427-1.455 1.132-1.632.529-.124 1.14-.124 2.726-.15h7.949V.265h-8.754c-1.963 0-2.843.075-3.598.353-1.737.602-2.921 2.383-2.921 4.518 0 1.458.58 2.745 1.587 3.624.881.753 2.189 1.105 4.202 1.105h3.584c.805 0 1.46.1 1.813.3.678.327 1.08.934 1.08 1.714 0 .652-.301 1.122-.83 1.447-.426.278-1.158.403-2.49.403h-8.588v2.99zm-84.945 0h8.88c2.492 0 3.549-.15 4.38-.677 1.307-.803 2.138-2.378 2.138-4.162 0-1.457-.504-2.868-1.258-3.622-.982-1.006-2.316-1.382-4.783-1.382H7.023c-1.209 0-2.098-.05-2.6-.276-.605-.277-.957-.81-.957-1.562 0-.88.427-1.455 1.132-1.632.53-.124 1.141-.124 2.726-.15h7.95V.265H6.52c-1.964 0-2.844.075-3.6.353C1.185 1.22 0 3 0 5.136 0 6.594.582 7.881 1.587 8.76c.881.753 2.19 1.105 4.203 1.105h3.582c.807 0 1.46.1 1.814.3.678.327 1.08.934 1.08 1.714 0 .652-.3 1.122-.83 1.447-.426.278-1.157.403-2.49.403H.358v2.99zM71.99 4.596c-.52.813-.765 2.118-.765 3.87 0 3.845 1.331 5.595 4.294 5.595 2.915 0 4.248-1.75 4.248-5.546 0-3.847-1.308-5.571-4.248-5.571-1.604 0-2.864.592-3.53 1.652zm10.05-1.897c1.013 1.33 1.58 3.498 1.58 6.039 0 2.882-.914 5.249-2.544 6.555-1.233.986-3.11 1.528-5.335 1.528-3.16 0-5.654-1.037-6.937-2.884-.964-1.355-1.435-3.155-1.435-5.35 0-3.152.866-5.544 2.495-6.826C71.149.726 73.175.158 75.497.158c2.938 0 5.284.913 6.543 2.54zM65.36.279h-3.507v6.73h-6.345V.278h-3.507v16.439h3.507V9.94h6.345v6.778h3.506V.278zM43.533 8.042c.938 0 1.48-.123 1.852-.469.442-.37.715-1.158.715-2.07 0-1.084-.443-1.872-1.208-2.144-.272-.1-.717-.149-1.286-.149h-4.839v4.832h4.766zm-4.766 8.674h-3.507V.278h8.223c2.889 0 3.902.295 4.988 1.504.964 1.036 1.481 2.39 1.481 3.845 0 1.725-.69 3.327-1.826 4.289-.962.813-1.854 1.058-3.728 1.058h-5.63v5.743zM21.665 4.596c-.519.813-.764 2.118-.764 3.87 0 3.845 1.333 5.595 4.297 5.595 2.913 0 4.247-1.75 4.247-5.546 0-3.847-1.308-5.571-4.247-5.571-1.606 0-2.866.592-3.533 1.652zm10.052-1.897c1.014 1.33 1.581 3.498 1.581 6.039 0 2.882-.914 5.249-2.545 6.555-1.233.986-3.11 1.528-5.333 1.528-3.162 0-5.656-1.037-6.94-2.884-.964-1.355-1.432-3.155-1.432-5.35 0-3.152.865-5.544 2.496-6.826C20.825.726 22.85.158 25.173.158c2.938 0 5.286.913 6.544 2.54z"/> </g> </svg> </a> </div>  <div class="lg:flex justify-end flex-grow hidden" x-show="searchField" x-cloak> <div class="relative w-1/2 rounded-md shadow-sm"> <form role="search" method="get" action="https://news.sophos.com/en-us/"> <input type="text" class="block w-full text-lg text-white placeholder-gray-100 bg-blue-800 border-0 rounded-md font-sansMedium font-medium" placeholder="Type to Search News" x-ref="searchInput" name="s" /> <div class="absolute inset-y-0 right-0 flex items-center px-3"> <button class="hover:opacity-100 opacity-60 p-1 text-xs text-white uppercase rounded-full cursor-pointer" type="submit" > Search </button> </div> </form> </div> </div>  <div class="lg:flex items-center flex-grow hidden" x-show="!searchField" x-cloak> <div class="flex ml-auto"> <ul id="menu-en-us-primary" class="primary-menu"><li id="menu-item-77773" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-77773"><a href="https://news.sophos.com/en-us/category/products-services/">Products & Services<div class="menu-item-description"></div></a></li> <li id="menu-item-77772" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-77772"><a href="https://news.sophos.com/en-us/category/security-operations/">Security Operations<div class="menu-item-description"></div></a></li> <li id="menu-item-77774" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-77774"><a href="https://news.sophos.com/en-us/category/threat-research/">Threat Research<div class="menu-item-description"></div></a></li> <li id="menu-item-85326" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-85326"><a href="https://news.sophos.com/en-us/category/ai-research/">AI Research<div class="menu-item-description"></div></a></li> <li id="menu-item-951374" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-951374"><a href="https://news.sophos.com/en-us/category/serious-security/">Naked Security<div class="menu-item-description"></div></a></li> <li id="menu-item-83702" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-83702"><a href="https://news.sophos.com/en-us/category/sophos-life/">Sophos Life<div class="menu-item-description"></div></a></li> </ul> </div> </div>  <div class="lg:block hidden ml-4"> <div class="flex items-center"> <button class="border-2 border-transparent hover:border-white inline-flex items-center justify-center p-2 text-white rounded-md focus:outline-none transition-colors" @click.prevent="searchField = !searchField; $nextTick(() => { setTimeout(() => { $refs.searchInput.focus(); }, 150);});" > <span class="sr-only">Search</span>  <svg class="w-5 h-5" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" :class="{ 'block': !searchField, 'hidden': searchField }" > <path stroke-linecap="round" stroke-linejoin="round" stroke-width="3" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z" /> </svg> <svg class="hidden w-5 h-5" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true" :class="{ 'block': searchField, 'hidden': !searchField }" > <path stroke-linecap="round" stroke-linejoin="round" stroke-width="3" d="M6 18L18 6M6 6l12 12" /> </svg> </button> </div> </div>  <div class="lg:hidden flex -mr-2"> <button type="button" class="hover:text-white hover:bg-blue-800 focus:outline-none hover:ring-2 focus:ring-offset-2 focus:ring-offset-gray-300 focus:ring-white inline-flex items-center justify-center p-2 text-white rounded-md" aria-controls="mobile-menu" aria-expanded="false" @click="mobileMenu = !mobileMenu" > <span class="sr-only">Open main menu</span>  <svg class="block w-6 h-6" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" :class="{ 'block': !mobileMenu, 'hidden': mobileMenu }" > <path stroke-linecap="round" stroke-linejoin="round" stroke-width="3" d="M4 6h16M4 12h16m-7 6h7" /> </svg>  <svg class="hidden w-6 h-6" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true" :class="{ 'block': mobileMenu, 'hidden': !mobileMenu }" > <path stroke-linecap="round" stroke-linejoin="round" stroke-width="3" d="M6 18L18 6M6 6l12 12" /> </svg> </button> </div> </div> </div>  <div class="lg:hidden container" x-show="mobileMenu" x-cloak x-transition:enter="transition-all ease-out duration-100" x-transition:enter-start="transform opacity-0 scale-95" x-transition:enter-end="transform opacity-100 scale-100" x-transition:leave="transition ease-in duration-75" x-transition:leave-start="transform opacity-100 scale-100" x-transition:leave-end="transform opacity-0 scale-95" > <div class="pt-2 pb-8 space-y-2"> <div class="relative rounded-md shadow-sm"> <form role="search" method="get" action="https://news.sophos.com/en-us/"> <input type="text" class="focus:ring-blue-600 focus:border-blue-600 sm:text-sm block w-full placeholder-gray-600 border-gray-300 rounded-md" placeholder="Search News" name="s" /> <div class="absolute inset-y-0 right-0 flex items-center px-3 pointer-events-none" > <button class="p-1 text-gray-500 rounded-full" type="submit"> <span class="sr-only">Search</span>  <svg class="w-4 h-4" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" > <path stroke-linecap="round" stroke-linejoin="round" stroke-width="3" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z" /> </svg> </button> </div> </form> </div> <ul id="menu-en-us-primary-1" class="mobile-menu"><li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-77773"><a href="https://news.sophos.com/en-us/category/products-services/">Products & Services<div class="menu-item-description"></div></a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-77772"><a href="https://news.sophos.com/en-us/category/security-operations/">Security Operations<div class="menu-item-description"></div></a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-77774"><a href="https://news.sophos.com/en-us/category/threat-research/">Threat Research<div class="menu-item-description"></div></a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-85326"><a href="https://news.sophos.com/en-us/category/ai-research/">AI Research<div class="menu-item-description"></div></a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-951374"><a href="https://news.sophos.com/en-us/category/serious-security/">Naked Security<div class="menu-item-description"></div></a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-83702"><a href="https://news.sophos.com/en-us/category/sophos-life/">Sophos Life<div class="menu-item-description"></div></a></li> </ul> </div> </div> </header> <div id="content"> <div id="primary" class="content-area"> <main id="main" class="site-main" role="main"> <article id="post-87362" class="post-87362 post type-post status-publish format-standard has-post-thumbnail hentry category-threat-research tag-cryptocurrency-fraud tag-cryptorom tag-fake-apps tag-featured tag-ios-fake-app tag-pig-butchering tag-pigbutchering tag-shazhupan tag-sophos-x-ops region-en-us"> <div class="md:mt-16 container mt-8"> <div class="relative max-w-5xl mx-auto"> <div class="aspect-w-16 aspect-h-9 flex bg-gray-400 bg-right bg-no-repeat bg-cover" > <img width="1198" height="800" src="https://news.sophos.com/wp-content/uploads/2023/02/shutterstock_1547820455.jpg?w=1198" class="object-cover wp-post-image" alt="" decoding="async" fetchpriority="high" srcset="https://news.sophos.com/wp-content/uploads/2023/02/shutterstock_1547820455.jpg 6016w, https://news.sophos.com/wp-content/uploads/2023/02/shutterstock_1547820455.jpg?resize=300,200 300w, https://news.sophos.com/wp-content/uploads/2023/02/shutterstock_1547820455.jpg?resize=768,513 768w, https://news.sophos.com/wp-content/uploads/2023/02/shutterstock_1547820455.jpg?resize=1024,684 1024w, https://news.sophos.com/wp-content/uploads/2023/02/shutterstock_1547820455.jpg?resize=1536,1025 1536w, https://news.sophos.com/wp-content/uploads/2023/02/shutterstock_1547820455.jpg?resize=2048,1367 2048w" sizes="(max-width: 1198px) 100vw, 1198px" /> </div> <div class="left-4 w-24 h-24 lg:left-12 xl:left-16 lg:w-40 lg:h-40 place-items-center absolute top-0 grid " > <img src="https://news.sophos.com/wp-content/uploads/2022/07/Category-Icon-X-Ops-v2.png" alt="Threat Research" /> </div> </div> </div> <header> <div class="container mt-8 md:mt-16 md:-mb-4"> <div class="max-w-4xl mx-auto"> <h1 class="text-style-h1 mb-8">Fraudulent “CryptoRom” trading apps sneak into Apple and Google app stores</h1> <div class="text-xl md:text-2xl -mt-2 mb-6"> Using changing remote content, apps slide by official review process to deliver fraud through the Apple App Store and Google Play Store. </div> <div class="text-xl md:text-xl -mt-2"> <span class="byline"> Written by <span class="author vcard"> <a href="https://news.sophos.com/en-us/author/jagadeesh-chandraiah/" title="Posts by Jagadeesh Chandraiah" class="author url fn" rel="author">Jagadeesh Chandraiah</a> </span> </span> </div> <div class="text-sophos-gray-600 mt-4 text-xs font-sansSemiBold font-semibold leading-tight uppercase"> <span class="posted-on"><a href="https://news.sophos.com/en-us/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores/" rel="bookmark">February 01, 2023</a></span> </div> <div class="mt-6 space-y-2 space-x-1"> <a href="https://news.sophos.com/en-us/category/threat-research/" class="category-tag-pill">Threat Research</a> <a href="https://news.sophos.com/en-us/tag/cryptocurrency-fraud/" class="category-tag-pill">cryptocurrency fraud</a> <a href="https://news.sophos.com/en-us/tag/cryptorom/" class="category-tag-pill">Cryptorom</a> <a href="https://news.sophos.com/en-us/tag/fake-apps/" class="category-tag-pill">Fake apps</a> <a href="https://news.sophos.com/en-us/tag/featured/" class="category-tag-pill">featured</a> <a href="https://news.sophos.com/en-us/tag/ios-fake-app/" class="category-tag-pill">ios fake app</a> <a href="https://news.sophos.com/en-us/tag/pig-butchering/" class="category-tag-pill">pig butchering</a> <a href="https://news.sophos.com/en-us/tag/pigbutchering/" class="category-tag-pill">PigButchering</a> <a href="https://news.sophos.com/en-us/tag/shazhupan/" class="category-tag-pill">ShaZhuPan</a> <a href="https://news.sophos.com/en-us/tag/sophos-x-ops/" class="category-tag-pill">Sophos X-Ops</a> </div> </div> </div> </header> <div class="container md:my-16 xl:my-24 my-8"> <div class="entry-content lg:prose-lg mx-auto prose max-w-4xl"> <p> </p> <p>CryptoRom is a romance-centered approach to financial fraud and a form of what is also known as “pig butchering” or “sha zhu pan” (杀猪盘, literally “pig butchering plate”). This type of fraud uses social engineering in combination with counterfeit financial applications and websites to ensnare victims and steal their money. For the past two years, we’ve <a href="https://news.sophos.com/en-us/2021/05/12/fake-android-and-ios-apps-disguise-as-trading-and-cryptocurrency-apps/">researched</a> such scams, and have examined ways that their operators have evaded Apple’s security checks by avoiding the app store and using ad-hoc methods to drop malicious applications onto victims’ phones. Recently, we discovered CryptoRom apps that defeated Apple’s and Google’s app-store security review processes, making their way into the official stores. Victims of the scam alerted us to the applications and shared details of the criminal operations behind them. In the process of researching the applications, we found other apps and uncovered information about the organizations behind these scam operations.</p> <p>In both cases, victims were approached through dating applications (Facebook and Tinder). They were then asked to move their conversation to WhatsApp, where they were eventually lured into downloading the apps discussed in this report. While the highly developed profiles and backstories used to lure the victims into trusting the guidance provided by the criminals set the table for these scams, the ability to publish the apps used in these schemes in the official stores significantly contributed to their perceived credibility in the eyes of victims.</p> <p>Both Apple and Google have been notified about these apps. Apple’s security team promptly removed them from that app store. Google recently removed the app we reported from the Play store as well.</p> <p><strong>Luring victims through dating apps</strong></p> <p>In the first case we investigated, the victim was based in Switzerland. The target met his “potential partner,” a person or persons who used a profile of a woman purportedly based in London, through Facebook Dating. As seen in the other cases, the scammer’s Facebook profile was replete with photos seeming to show a lavish lifestyle, including photos of high-end restaurants, expensive shops and destinations, and near-perfect and professional-looking selfies. It is very likely that the profile contents were purchased from a third-party vendor or were stolen from the internet.</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-01.png"><img decoding="async" class="alignnone size-full wp-image-89470" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-01.png" alt="A dozen small screen captures of photos sent by the persona showing "her" lifestyle (nice meals and wines, a day at the beach) and the persona "herself" -- a young-looking woman." width="640" height="208" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-01.png 1255w, https://news.sophos.com/wp-content/uploads/2023/01/figure-01.png?resize=300,98 300w, https://news.sophos.com/wp-content/uploads/2023/01/figure-01.png?resize=768,250 768w, https://news.sophos.com/wp-content/uploads/2023/01/figure-01.png?resize=1024,333 1024w" sizes="(max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 1: The daily “life” of a nonexistent woman; some images were probably created by the scammers or by a paid provider, while others were likely stolen from elsewhere on the internet</em></p> <p>To maintain the appearance of being from London, the criminals behind the profile posted events from BBC News, such as Queen Elizabeth II’s funeral, on the persona’s Facebook timeline. The persona also “liked” and followed organizations that indicated interest in the BBC and well-known Western companies.</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-02.png"><img decoding="async" class="alignnone size-full wp-image-89471" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-02.png" alt="A screen showing the persona's check-ins (Switzerland) and likes (BBC News, BMW, Cisco, Denner). These are used to give the persona credibility and enhance the larger social-engineering effort." width="640" height="334" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-02.png 1600w, https://news.sophos.com/wp-content/uploads/2023/01/figure-02.png?resize=300,157 300w, https://news.sophos.com/wp-content/uploads/2023/01/figure-02.png?resize=768,401 768w, https://news.sophos.com/wp-content/uploads/2023/01/figure-02.png?resize=1024,535 1024w, https://news.sophos.com/wp-content/uploads/2023/01/figure-02.png?resize=1536,803 1536w" sizes="(max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 2: Check-ins and likes in the persona’s profile helped the scammers build credibility for their creation</em></p> <p>After establishing a rapport, the criminals behind the profile told the victim that “her” uncle worked for a financial analysis firm, and invited the victim to do cryptocurrency trading together. At this point the scammers sent the victim a link to the fake application in the Apple app store. They instructed the victim in how to start “investing” with the application, telling them to transfer money to the Binance crypto exchange and then from Binance to the fake application.</p> <p>Initially, the victim was able to withdraw small amounts of cryptocurrency. But later, when the victim wanted to withdraw larger amounts, the account got locked and was told through a “customer support” chat in the application to pay a 20% fee (as shown in Figure 3) to access the cryptocurrency.</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-03.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89472" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-03.png" alt="A screen capture, lightly redacted by Sophos, showing what the victim sees at the blow-off for the CyptoRom scam. It reads: "Hello, dear user, your ID card information has been verified. You also need your own account wallet to deposit USDT with 20% of the account balance (deposit USDT). The system will be suitable for all your account information. After the completion, the manual customer service will handle the temporary account lock release for you."" width="414" height="288" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-03.png 414w, https://news.sophos.com/wp-content/uploads/2023/01/figure-03.png?resize=300,209 300w" sizes="auto, (max-width: 414px) 100vw, 414px" /></a></p> <p><em>Figure 3: Once trust in the fake application has been established, the victim’s ability to withdraw money is suddenly “locked”</em></p> <p>The second victim followed a similar path, with the difference that initial contact was through Tinder. The scammer asked to move the conversation to WhatsApp, and then prompted the victim to download a different fake app from the iOS App Store. The victim caught onto the scam, but only after losing $4,000 USD.</p> <p><strong>Fake Apps in Apple App Store</strong></p> <p>Previously, iOS apps we’ve seen associated with CryptoRom / pig butchering scams were deployed from outside the official Apple App Store via ad hoc distribution services. In order to get victims to install them, the criminals behind the scams had to use social engineering— they had to convince the victims to install a configuration profile to enable app installation, a process that could potentially spook many targets. But in cases we’ve investigated recently, applications used by the scammers were successfully placed into the Apple App Store, greatly reducing the amount of social engineering required to get the application onto victims’ devices.</p> <p>The first of these applications appeared on first inspection to have no connection to cryptocurrency; called “Ace Pro,” the app was described in its app-store page as a QR code-checking application.</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-04.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89473" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-04.png" alt="A screen capture from Apple's app store, showing the Ace Pro app on offer (since removed)." width="640" height="477" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-04.png 1502w, https://news.sophos.com/wp-content/uploads/2023/01/figure-04.png?resize=300,224 300w, https://news.sophos.com/wp-content/uploads/2023/01/figure-04.png?resize=768,573 768w, https://news.sophos.com/wp-content/uploads/2023/01/figure-04.png?resize=1024,764 1024w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 4: The app-store download page for Ace Pro, since removed </em></p> <p>The machine translation of the text (from Slovak):</p> <pre>"Ace Pro" per application, which converts QR code information of fast driving through driving information. It's simple to upload and easy to use. It can transform your train information very well, allowing you to quickly pass through the ride. Save time..."</pre> <p>The privacy policy for the application also describes it as a “QR Check” application.</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-05.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89474" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-05.png" alt="The "privacy policy" for the app, reading: Cynthia St-Pierre built the QR Check app as a Free app. This SERVICE is provided by Cynthia St-Pierre at no cost and is intended for use as-is. This page is used to inform visitors regarding my policies with the collection, use, and disclosure of Personal Information if anyone decided to use my Service."" width="640" height="96" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-05.png 1584w, https://news.sophos.com/wp-content/uploads/2023/01/figure-05.png?resize=300,45 300w, https://news.sophos.com/wp-content/uploads/2023/01/figure-05.png?resize=768,115 768w, https://news.sophos.com/wp-content/uploads/2023/01/figure-05.png?resize=1024,154 1024w, https://news.sophos.com/wp-content/uploads/2023/01/figure-05.png?resize=1536,231 1536w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 5: The Ace Pro privacy policy</em></p> <p>The second CryptoRom application we discovered in Apple’s app store was called “MBM_BitScan,” described in the store listing as a real-time data tracker for cryptocurrencies. But it also has a fake cryptotrading interface. One victim lost around $4000 to this fake application.</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-06.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89475" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-06.png" alt="The MBM_BitScan app as seen on Apple's store before the app was removed. There are multiple iPhone screenshots showing the app's "trading" interface and setting screens." width="640" height="499" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-06.png 1036w, https://news.sophos.com/wp-content/uploads/2023/01/figure-06.png?resize=300,234 300w, https://news.sophos.com/wp-content/uploads/2023/01/figure-06.png?resize=768,598 768w, https://news.sophos.com/wp-content/uploads/2023/01/figure-06.png?resize=1024,798 1024w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 6: The app-store download page for MBM_BitScan, since removed</em></p> <p>Both of these applications managed to get past the Apple App Store review process. All applications that are installed via the Apple App Store <a href="https://developer.apple.com/support/code-signing/">must be signed by the developer using a certificate provided by Apple</a>, and must go through a stringent review process to verify that they follow the App Store <a href="https://developer.apple.com/app-store/review/guidelines/">guidelines.</a></p> <p>If criminals can get past these checks, they have the potential to reach millions of devices. This is what makes it more dangerous for CryptoRom victims, as most of those targets are more likely to trust the source if it comes from the official Apple App Store.</p> <h3><strong>Evading App Store Review</strong></h3> <p><a href="https://news.sophos.com/wp-content/uploads/2022/12/figure-07.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89484" src="https://news.sophos.com/wp-content/uploads/2022/12/figure-07.png" alt="A chart visually recapping the subversion of the app-approval process, which is described below in text." width="640" height="360" srcset="https://news.sophos.com/wp-content/uploads/2022/12/figure-07.png 1280w, https://news.sophos.com/wp-content/uploads/2022/12/figure-07.png?resize=300,169 300w, https://news.sophos.com/wp-content/uploads/2022/12/figure-07.png?resize=768,432 768w, https://news.sophos.com/wp-content/uploads/2022/12/figure-07.png?resize=1024,576 1024w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 7: How fraudulent applications likely evaded the Apple review process.</em></p> <p>Both the apps we found used remote content to provide their malicious functionality—content that was likely concealed until after App Store review was complete.</p> <p>In the case of the Ace Pro app, the malicious developers inserted code related to QR checking and other iOS app library code in the app to make it appear legitimate to reviewers. But when the app is launched, it sends a request to an Asian-registered domain (rest[.]apizza[.]net), which responds with content from another host (acedealex[.]xyz/wap). It is this response that delivers the fake CryptoRom trading interface. It is likely that the criminals used a legitimate-looking site for responses at the time of the app review, switching to the CryptoRom URL later.</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-08.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89476" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-08.png" alt="Split-screen image showing analysis of the specific web request from the Ace Pro app. On the left, the call to rest-dot-apizza-dot-net is visible. On the right, the returned data includes a link to a page on acedealex-dot-sys." width="640" height="190" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-08.png 1372w, https://news.sophos.com/wp-content/uploads/2023/01/figure-08.png?resize=300,89 300w, https://news.sophos.com/wp-content/uploads/2023/01/figure-08.png?resize=768,228 768w, https://news.sophos.com/wp-content/uploads/2023/01/figure-08.png?resize=1024,305 1024w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 8: </em><em>The captured web request and response from the Ace Pro app</em></p> <p>The MBM_BitScan app uses a similar approach. On execution, it sends a JSON request to a command-and-control (C2) server hosted on Amazon Web Services, and gets a response from a domain called flyerbit8(.)com —a domain crafted to look like that of legitimate Japanese bitcoin vendor <a href="https://bitflyer.com/en-eu/">bitFlyer</a>:</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-09.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89477" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-09.png" alt="Split-screen image showing analysis of the specific web request from the MBM_BitScan app. On the left, the call to the "flyerbit" AWS instance is visible; on the right, the returned data includes a link to flyerbit8-dot-com-whack-home." width="640" height="271" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-09.png 1458w, https://news.sophos.com/wp-content/uploads/2023/01/figure-09.png?resize=300,127 300w, https://news.sophos.com/wp-content/uploads/2023/01/figure-09.png?resize=768,326 768w, https://news.sophos.com/wp-content/uploads/2023/01/figure-09.png?resize=1024,434 1024w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 9: </em><em>The web request made by the MBM_BitScan app, and the response delivering the JSON package containing the URL of the malicious website serving up the fake trading app</em></p> <p>This review evasion technique, which is connected to click-fraud malware, has been seen previously by other researchers in fake iOS applications dating back to 2019 .</p> <h3><strong>Fake Crypto Interfaces</strong></h3> <p>The remote content displayed within these applications is similar to other CryptoRom and pig butchering scam applications we’ve seen. Both have a working-but-fake trading interface with the purported ability to deposit and withdraw currency, as well as a built-in customer service function. But all the deposits go into the crooks’ pockets rather than an actual trading account.</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-10.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89478" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-10.png" alt="Multiple screen captures showing the Ace Pro interface, including account-management options and market pricing for various cryptocurrencies." width="640" height="367" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-10.png 1600w, https://news.sophos.com/wp-content/uploads/2023/01/figure-10.png?resize=300,172 300w, https://news.sophos.com/wp-content/uploads/2023/01/figure-10.png?resize=768,441 768w, https://news.sophos.com/wp-content/uploads/2023/01/figure-10.png?resize=1024,588 1024w, https://news.sophos.com/wp-content/uploads/2023/01/figure-10.png?resize=1536,881 1536w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 10: </em><em>The trading interface in the Ace Pro app</em></p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-11.jpeg"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89479" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-11.jpeg" alt="A screen capture from a phone showing the "buy crypto" option on MBM_BitScan, including various numbers indicating market movement among BitCoin, Ethereum, and other currencies." width="638" height="1103" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-11.jpeg 638w, https://news.sophos.com/wp-content/uploads/2023/01/figure-11.jpeg?resize=174,300 174w, https://news.sophos.com/wp-content/uploads/2023/01/figure-11.jpeg?resize=592,1024 592w" sizes="auto, (max-width: 638px) 100vw, 638px" /></a></p> <p><em>Figure 11: The MBM_BitScan</em><em> fake-application interface, with an option to buy crypto</em></p> <p>Because these trading interfaces are loaded at runtime, and because the entirety of the malicious content of the applications resides on the web server and not in application code, it is challenging for app stores to review and find these fake applications. They’re difficult to identify as fraudulent by reviewers by just viewing the code. And since they will likely only be used by people targeted by the scams, they will only get reported by targeted users who are familiar with legitimate versions of the applications and have an understanding of cryptocurrency. Because of these factors, these types of fake applications will continue to pose a significant challenge to Apple’s app security reviewers.</p> <p><strong>Google Play Store application </strong></p> <p>The Google Play Store version of MBM_BitScan has a different vendor name and different title than that of the Apple version. However, it communicates with the same C2 as the iOS version of the app, and likewise accesses the domain that hosts the fake trading interface via JSON. It receives flyerbit8<dot>com, which as noted above resembles the legitimate Japanese crypto firm bitFlyer. Everything else is handled in the web interface.</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-12.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89480" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-12.png" alt="Screen captures from an Android phone showing the "BitScan" interface and the installation page on Google's app store." width="640" height="603" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-12.png 741w, https://news.sophos.com/wp-content/uploads/2023/01/figure-12.png?resize=300,283 300w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 12: The MBM_BitScan app as seen on Google Play Store</em></p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-12a.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89483" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-12a.png" alt="A code snippet showing the JSON data retrieved via an AWS-based URL." width="640" height="88" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-12a.png 1203w, https://news.sophos.com/wp-content/uploads/2023/01/figure-12a.png?resize=300,41 300w, https://news.sophos.com/wp-content/uploads/2023/01/figure-12a.png?resize=768,105 768w, https://news.sophos.com/wp-content/uploads/2023/01/figure-12a.png?resize=1024,140 1024w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 13: The Android version of the MBM_BitScan app’s getUrl method, with an AWS-based URL that fetches the JSON data containing the CryptoRom interface</em></p> <p><strong>The actors behind CryptoRom rings</strong></p> <p>CryptoRom and other forms of “pig butchering” <a href="https://m-fx361-com.translate.goog/news/2020/1210/7315273.html?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc">initially targeted</a> people in China and Taiwan. Early scams focused on online gambling with insider information, using similar tactics to CryptoRom. Over the course of the COVID-19 pandemic, the scams expanded globally and evolved into fraudulent foreign exchange and cryptocurrency trading. We are tracking this threat actor as the “ShaZhuPan” group.</p> <p>When Chinese authorities started cracking down on these scams and prosecuted some perpetrators, some of the gangs behind them fled to smaller southeast Asian countries, including <a href="https://www.latimes.com/world-nation/story/2022-11-01/i-was-a-slave-up-to-100-000-held-captive-by-chinese-cyber-criminals-in-cambodia">Cambodia</a>, where they now <a href="https://www.vice.com/en/article/n7zb5d/pig-butchering-scam-cambodia-trafficking">operate</a> in special economic zones (<a href="https://m-fx361-com.translate.goog/news/2020/1210/7315273.html?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc">SEZ</a>).</p> <p>According to <a href="http://www.xinhuanet.com/legal/2020-08/03/c_1126316375.htm">reports</a> by Chinese law enforcement organizations who <a href="https://doi.org/10.1080/15564886.2022.2051109">targeted</a> these operations in China, CryptoRom groups follow a business structure that mimics a corporate organizational model. At the top is a head office, which does supervision and money laundering. The head office sub-contracts scam operations to affiliate organizations. These franchise operations, also called agents, have their own division of labor:</p> <ul> <li>The “front desk” team handles logistics, human trafficking (more on this below) of new workers, and site management.</li> <li>The tech team handles websites and applications.</li> <li>The finance team handles the local finance operations; profits are divided 40:60 between the head office and franchise.</li> <li>Keyboarders are at the bottom of the crime chain and are the ones that do the majority of interaction with the victims.</li> </ul> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-13.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89481" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-13.png" alt="A flow chart showing in a visual format the information given in the bullet list above." width="640" height="427" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-13.png 847w, https://news.sophos.com/wp-content/uploads/2023/01/figure-13.png?resize=300,200 300w, https://news.sophos.com/wp-content/uploads/2023/01/figure-13.png?resize=768,512 768w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 14: The org chart of a typical pig-butchering group</em></p> <p>During Covid-19, many <a href="https://www.vice.com/en/article/n7zb5d/pig-butchering-scam-cambodia-trafficking">underdeveloped</a> countries did not have jobs or sufficient social benefits to support those affected by economic disruptions. This pushed many young people into taking job offers in other countries’ special economic zones that promised high pay. Many of these were fraudulent job offers tied to pig-butchering rings; when workers <a href="https://www.financialexpress.com/india-news/held-captive-forced-to-commit-cyber-fraud-over-100-indians-rescued-from-fake-job-scam-in-myanmar-cambodia/2703912/">arrive</a><u>d</u>, they were transported to CryptoRom centers and had their passports confiscated.</p> <p>Often, keyboarders are these trafficked victims, brought from countries like China, Malaysia and <a href="https://www.financialexpress.com/india-news/held-captive-forced-to-commit-cyber-fraud-over-100-indians-rescued-from-fake-job-scam-in-myanmar-cambodia/2703912/">India</a> with the promise of better-paid jobs. They are trained with pre-written scripts with instructions on how to interact, what to say to their victims, and how to bring them into investing. If they want to leave or do not follow the script, they are reportedly subjected to <a href="https://www.vice.com/en/article/n7zb5d/pig-butchering-scam-cambodia-trafficking">violence</a>.</p> <p><a href="https://news.sophos.com/wp-content/uploads/2023/01/figure-14.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-89482" src="https://news.sophos.com/wp-content/uploads/2023/01/figure-14.png" alt="A page of scripted dialogue from a handbook for keyboarders working a CryptoRom scam. The text in the image is auto-translated and describes the "cut-in method" guiding the conversation to putting money into the scam while giving assurances that the keyboarder is actually the scam "persona" living an exciting and wealthy life." width="640" height="818" srcset="https://news.sophos.com/wp-content/uploads/2023/01/figure-14.png 715w, https://news.sophos.com/wp-content/uploads/2023/01/figure-14.png?resize=235,300 235w" sizes="auto, (max-width: 640px) 100vw, 640px" /></a></p> <p><em>Figure 15: </em><em>Translated training manual posted on Reddit by a former keyboarder</em></p> <p><strong>Why do victims fall for this?</strong></p> <p>One of the questions that comes to everyone’s mind when reading these articles about people losing money to CryptoRom is, “Why do they do this?” Why do victims put so much money into these scams in spite of the many red flags along the way — especially when they have not even met the person face to face?</p> <p>It’s easy to quickly judge them, but it’s wrong to dismiss the victims of these scams without understanding the circumstances that led them to fall for the schemes. After discussions with a number of victims and reviewing public postings by others, we identified some of the potential reasons they overlooked the threats. Many of the victims (both men and women) were well-educated; some even had PhDs. They were swayed by the persuasion techniques used in these scams:</p> <ul> <li>The length of engagement — the scammers can spend several months gaining the trust of the victim, chatting with them, greeting them, and sending images of typical day-to-day life. The victims may be less likely to research elements of the scam because of the persistence of the contact with the scammers.</li> <li>The proof of an initial withdrawal — the victims were convinced by the fact that they were allowed by the scam to withdraw money from initial transactions. This tactic is a well-worn method also used by traditional Ponzi schemes to make the confidence scam seem more authentic.</li> <li>Mirroring of transactions – The scammers use screen shots of the fake app to show that they are doing the same thing that they are asking the victim to do, and show the (fake) profits that they are making. They ask the victim to do the same transactions, while convincing them to increase their deposit into the fake marketplace.</li> <li>Fake lending – When victims have to pay fake tax, as a final blow, they pretend to pay half the tax bill for the victim and ask the victim to bring the other half.</li> </ul> <p>There are other contributing factors making the victims potentially more open to persuasion:</p> <ul> <li>Emotional vulnerability — Most of them were vulnerable to emotional manipulation. In many cases, the victims were men or women who had experienced some sort of major life change. Some had been unsuccessful in the dating pool, were recently widowed, or had experienced a major illness.</li> <li>The rise of app-based finance – The emergence of “FinTech” (finance technology) companies without physical branches over the past few years has made it more difficult to spot the fake ones– especially when they’re presented by someone trusted.</li> <li>Platform trust – Finally, and perhaps most importantly, victims trust Apple and Google, which claim to verify and check all the applications distributed by their app stores.</li> </ul> <p><strong>Removing a CryptoRom App</strong></p> <p>If you installed a CryptoRom app through any app store, please just delete the application. On Apple devices:</p> <ol> <li style="list-style-type: none"> <ol> <li>Touch and hold the app until it jiggles.</li> <li>Then tap the delete button (the X) in the upper-left corner of the app to delete it. If you see a message that says, “Deleting this app will also delete its data,” tap Delete.</li> </ol> </li> </ol> <p>If you installed the profile from outside the app store using a profile, these steps are recommended by Apple’s <a href="https://support.apple.com/en-gb/HT205347">documentation:</a></p> <ol> <li>If the app has a configuration profile, delete it if you installed it <ul> <li>Go to Settings > General > Profiles or Profiles & Device Management,* then tap the app’s configuration profile.</li> <li>Then tap Delete Profile. If asked, enter your device passcode, then tap Delete.</li> </ul> </li> <li>Restart your iPhone.</li> </ol> <p>* If you don’t see this option in Settings, then no device management profiles are installed on your device.</p> <p>For Android users, from your phone you can <a href="https://support.google.com/android/answer/2521768">delete the app</a> from within the Google Play Store, or do the following:</p> <ol> <li>Long-press the app icon until the Select / Add to Home / Uninstall popup appears. Tap “Uninstall” (on the right).</li> <li>When the popup asked “Do you want to uninstall this app?,” choose “OK.”</li> <li>Confirm that the app is gone by going to “Settings” (the gear in the upper right corner of your screen), clicking on “Apps,” and scrolling to confirm that the app has not lingered.</li> </ol> <p><strong>Are you a victim and want us to check your app or URL?</strong></p> <p>If you have experienced this type of fraud or wish to report suspicious applications or URLs connected to CryptoRom or other malware <strong>at no cost</strong>, please reach out directly via Twitter to <a href="https://twitter.com/jag_chandra">@jag_chandra.</a></p> <p>SophosLabs would like to acknowledge <strong>Xinran Wu and Szabolcs Lévai</strong> for their contribution to this article.</p> <p> </p> <p>IOCs</p> <p>App URL – https://apps.apple.com/US/app/id1642848412</p> <p>ID – com.QRCheck.APP</p> <p class="xmsonormal">IPA – c336394b1600fc713ce65017ebf69d59e352c8d9how</p> </div> <div class="mt-12"> <ul id="social-sharing" class="flex justify-center items-center space-x-6" > <li class="facebook"> <a class="js-share-modal" href="http://www.facebook.com/share.php?u=https://news.sophos.com/?p=87362&title=Fraudulent%20“CryptoRom”%20trading%20apps%20sneak%20into%20Apple%20and%20Google%20app%20stores" data-title="Fraudulent “CryptoRom” trading apps sneak into Apple and Google app stores" title="Share on Facebook"> <span class="sr-only">Share on Facebook</span> <svg width="8" height="16" xmlns="http://www.w3.org/2000/svg" class="text-sophos-gray-600 hover:text-black" fill="currentColor" > <path d="M7.145 8.006H4.903V16H1.581V8.006H0V5.182h1.581V3.354C1.581 2.045 2.202 0 4.933 0l2.461.01v2.742H5.608c-.291 0-.705.145-.705.77v1.66h2.533l-.291 2.824z" fill-rule="nonzero"/> </svg> </a> </li> <li class="twitter"> <a class="js-share-modal" href="http://twitter.com/intent/tweet?text=Fraudulent%20%E2%80%9CCryptoRom%E2%80%9D%20trading%20apps%20sneak%20into%20Apple%20and%20Google%20app%20stores%20https%3A%2F%2Fnews.sophos.com%2F%3Fp%3D87362" data-title="" title="Share on X"> <span class="sr-only">Share on X</span> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" class="text-sophos-gray-600 hover:text-black" fill="currentColor" > <path d="M12.163 1.5h2.206L9.55 7.006l5.669 7.494H10.78L7.303 9.956 3.328 14.5h-2.21l5.154-5.89L.838 1.5h4.55l3.14 4.153zm-.776 11.681h1.222L4.722 2.75H3.409z"/> </svg> </a> </li> <li class="linkedin"> <a href="http://www.linkedin.com/shareArticle?mini=true&url=https://news.sophos.com/en-us/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores/" data-title="Fraudulent “CryptoRom” trading apps sneak into Apple and Google app stores" title="Share on LinkedIn" onclick="window.open(this.href, '', 'left=20,top=20,width=500,height=500,toolbar=1,resizable=0'); return false;"> <span class="sr-only">Share on LinkedIn</span> <svg width="16" height="16" xmlns="http://www.w3.org/2000/svg" class="text-sophos-gray-600 hover:text-black" fill="currentColor" > <path d="M16 15.293h-3.43v-5.52c0-1.386-.496-2.334-1.738-2.334-.946 0-1.512.64-1.76 1.256-.09.22-.113.526-.113.836v5.762H5.53s.044-9.35 0-10.316h3.43v1.46c.456-.705 1.27-1.703 3.091-1.703 2.256 0 3.95 1.473 3.95 4.643v5.916zM1.917 3.566h-.022C.745 3.566 0 2.773 0 1.783 0 .772.768 0 1.94 0c1.173 0 1.896.772 1.917 1.783 0 .99-.744 1.783-1.94 1.783zM.202 15.293h3.431V4.977H.203v10.316z" fill-rule="nonzero"/> </svg> </a> </li> <li class="comments"> <a href="#comments" title="Leave a Reply" class="flex items-center space-x-1" > <svg width="16" height="16" xmlns="http://www.w3.org/2000/svg" class="text-sophos-gray-600 hover:text-black" fill="currentColor" > <path d="M8.5 0a7.5 7.5 0 11-3.916 13.898C3.317 15.273 1.773 15.36.256 15.135c1.011-1.185 1.678-2.357 2-3.517l-.007.027A7.5 7.5 0 018.5 0z" fill-rule="evenodd"/> </svg> </a> </li> </ul> </div> </div> </article> <div class="container my-8 md:my-16"> <div class="max-w-4xl mx-auto"> <div class="article-author-block article-co-authors-block"> <div class="author-block"> <div class="author-block__profile"> <img alt='' src='https://news.sophos.com/wp-content/themes/sophosnews-2017/img/avatars/avatar-three.png' class='avatar avatar-400 photo' height='400' width='400' /> </div>  <div class="author-block__wrapper"> <div class="author-block__content"> <div class="author-block__about"> About the Author </div> <h3 class="author-block__name"> <a href="https://news.sophos.com/en-us/author/jagadeesh-chandraiah/" title="Posts by Jagadeesh Chandraiah" class="author url fn" rel="author">Jagadeesh Chandraiah</a> </h3> <div class="author-block__bio"> <p>Jagadeesh Chandraiah is a nine-year veteran of SophosLabs, specializing in Windows and mobile malware analysis. Jagadeesh regularly presents his research at international security conferences like DeepSec, AVAR, CARO, and Virus Bulletin. Outside of work, Jagadeesh enjoys playing badminton.</p> </div>  </div> </div> </div>  </div> </div> </div> <div class="pb-24 bg-white"> <div class="container"> <div class="max-w-5xl mx-auto"> <h3 class="text-style-h2 md:my-8 my-4"> Read Similar Articles </h3> <div class="article-grid article-grid--3-column">  <article id="post-82205" class="hover:shadow-lg dark:bg-sophos-gray-900 border-sophos-gray-200 flex flex-col overflow-hidden text-gray-700 transition-all bg-white border rounded-md shadow-md post-82205 post type-post status-publish format-standard has-post-thumbnail hentry category-threat-research tag-cryptocurrency-fraud tag-cryptorom tag-fake-apps tag-fake-crypto tag-featured tag-iphone-malware tag-security-operations tag-shazhupan region-en-us">  <a class="aspect-w-16 aspect-h-9 flex block bg-gray-400 bg-right bg-no-repeat bg-cover" href="https://news.sophos.com/en-us/2022/03/16/cryptorom-bitcoin-swindlers-continue-to-target-vulnerable-iphone-and-android-users/" rel="bookmark" style=" background-image: url('https://news.sophos.com/wp-content/uploads/2022/03/heartlocks.jpg?w=640'); " ></a>  <div class="flex flex-col justify-between flex-grow">  <div class="sm:px-8 sm:py-8 p-4 py-6">  <div class="text-sophos-blue-600 font-sansMedium mb-2 text-xs leading-tight uppercase truncate" > March 16, 2022 </div>  <h2 class="text-style-h2 line-clamp-3 sm:mb-4 sm:text-2xl sm:leading-snug text-lg leading-tight text-gray-700"><a href="https://news.sophos.com/en-us/2022/03/16/cryptorom-bitcoin-swindlers-continue-to-target-vulnerable-iphone-and-android-users/" rel="bookmark" class="dark:text-white font-sansSemiBold font-semibold text-gray-900 no-underline cursor-pointer">CryptoRom Bitcoin swindlers continue to target vulnerable iPhone and Android users</a></h2>  </div> </div> </article>  <article id="post-77194" class="hover:shadow-lg dark:bg-sophos-gray-900 border-sophos-gray-200 flex flex-col overflow-hidden text-gray-700 transition-all bg-white border rounded-md shadow-md post-77194 post type-post status-publish format-standard has-post-thumbnail hentry category-threat-research tag-apple tag-apple-developer-enterprise-program tag-cryptorom tag-featured tag-ios tag-ios-fake-app tag-iphone-malware tag-shazhupan tag-super-signature region-en-us">  <a class="aspect-w-16 aspect-h-9 flex block bg-gray-400 bg-right bg-no-repeat bg-cover" href="https://news.sophos.com/en-us/2021/10/13/cryptorom-fake-ios-cryptocurrency-apps/" rel="bookmark" style=" background-image: url('https://news.sophos.com/wp-content/uploads/2019/10/iphone.png?w=640'); " ></a>  <div class="flex flex-col justify-between flex-grow">  <div class="sm:px-8 sm:py-8 p-4 py-6">  <div class="text-sophos-blue-600 font-sansMedium mb-2 text-xs leading-tight uppercase truncate" > October 13, 2021 </div>  <h2 class="text-style-h2 line-clamp-3 sm:mb-4 sm:text-2xl sm:leading-snug text-lg leading-tight text-gray-700"><a href="https://news.sophos.com/en-us/2021/10/13/cryptorom-fake-ios-cryptocurrency-apps/" rel="bookmark" class="dark:text-white font-sansSemiBold font-semibold text-gray-900 no-underline cursor-pointer">CryptoRom fake iOS cryptocurrency apps hit US, European victims for at least $1.4 million</a></h2>  </div> </div> </article>  <article id="post-73764" class="hover:shadow-lg dark:bg-sophos-gray-900 border-sophos-gray-200 flex flex-col overflow-hidden text-gray-700 transition-all bg-white border rounded-md shadow-md post-73764 post type-post status-publish format-standard has-post-thumbnail hentry category-threat-research tag-android-malware tag-cryptorom tag-fake-apps tag-fake-crypto tag-ios-malware tag-ios-mdm-abuse tag-pigbutchering tag-romancescam tag-shazhupan region-en-us">  <a class="aspect-w-16 aspect-h-9 flex block bg-gray-400 bg-right bg-no-repeat bg-cover" href="https://news.sophos.com/en-us/2021/05/12/fake-android-and-ios-apps-disguise-as-trading-and-cryptocurrency-apps/" rel="bookmark" style=" background-image: url('https://news.sophos.com/wp-content/uploads/2021/05/cadef400-151f-11ea-91a1-7e0f83e7b2cf.jpeg?w=640'); " ></a>  <div class="flex flex-col justify-between flex-grow">  <div class="sm:px-8 sm:py-8 p-4 py-6">  <div class="text-sophos-blue-600 font-sansMedium mb-2 text-xs leading-tight uppercase truncate" > May 12, 2021 </div>  <h2 class="text-style-h2 line-clamp-3 sm:mb-4 sm:text-2xl sm:leading-snug text-lg leading-tight text-gray-700"><a href="https://news.sophos.com/en-us/2021/05/12/fake-android-and-ios-apps-disguise-as-trading-and-cryptocurrency-apps/" rel="bookmark" class="dark:text-white font-sansSemiBold font-semibold text-gray-900 no-underline cursor-pointer">Fake Android and iOS apps disguise as trading and cryptocurrency apps</a></h2>  </div> </div> </article> </div> </div> </div> </div>  </main> </div> </div>  <div class="bg-sophos-gray-50 md:py-16 px-4 pb-4 pt-8"> <div class="container max-w-2xl" x-show="!subscribed"> <div class="text-style-h2-lg"> Subscribe to get the latest updates in your inbox. </div> <div id="mc_embed_shell"> <link href="//cdn-images.mailchimp.com/embedcode/classic-061523.css" rel="stylesheet" type="text/css"> <style type="text/css"> /* Add your own Mailchimp form style overrides in your site stylesheet or in this style block. We recommend moving this block and the preceding CSS link to the HEAD of your HTML file. */ #mc_embed_signup form, #mc_embed_signup #mc-embedded-subscribe-form div.mce_inline_error { margin:0; background: transparent; } #mc_embed_signup input { border-color: rgba(240, 242, 244, var(--tw-border-opacity)); } #mc_embed_signup input#mc-embedded-subscribe { border-radius: 9999px; } #mc-embedded-subscribe { margin-left:0; } #mc_embed_signup .mc-field-group.input-group input { height:1rem; width:1rem; } #mc_embed_signup #mc-embedded-subscribe-form input.mce_inline_error { border-color: rgba( 209, 213, 219, var( --tw-border-opacity ) );} #mc_embed_signup #mce-success-response { display: block; color: #fff; font-weight: normal; padding: .75rem 1rem; margin: 0; } #mc_embed_signup div#mce-responses { padding: 0; width: 100%; margin: .5rem 0; } #mc_embed_signup div.response { width:100%; padding: .75rem 1rem; font-weight: normal; } </style> <div id="mc_embed_signup"> <form action="https://sophos.us2.list-manage.com/subscribe/post?u=2a2849a8c809119f4bd4929cc&id=8d6471d831&f_id=007062e1f0" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank"> <div id="mc_embed_signup_scroll"> <div class="mc-field-group"> <input type="email" name="EMAIL" class="required email" id="mce-EMAIL" required="" value="" placeholder="name@email.com"> <div id="mce-responses" class="clear flex flex-col my-6"> <div class="response font-sansMedium px-4 py-3 mt-2 text-sm font-medium text-white bg-black border rounded-md" id="mce-error-response" style="display: none;"></div> <div class="response font-sansMedium px-4 py-3 mt-2 text-sm font-medium text-white bg-black border rounded-md" id="mce-success-response" style="display: none;"></div> </div> </div> <div class="mc-field-group input-group mb-4 text-lg"> Which categories are you interested in? <ul> <li><input type="checkbox" name="group[3][1]" id="mce-group[3]-3-0" value=""><label for="mce-group[3]-3-0" class="text-style-form-label ml-2">Products and Services</label></li> <li><input type="checkbox" name="group[3][2]" id="mce-group[3]-3-1" value=""><label for="mce-group[3]-3-1" class="text-style-form-label ml-2">Threat Research</label></li> <li><input type="checkbox" name="group[3][4]" id="mce-group[3]-3-2" value=""><label for="mce-group[3]-3-2" class="text-style-form-label ml-2">Security Operations</label></li> <li><input type="checkbox" name="group[3][8]" id="mce-group[3]-3-3" value=""><label for="mce-group[3]-3-3" class="text-style-form-label ml-2">AI Research</label></li> <li><input type="checkbox" name="group[3][16]" id="mce-group[3]-3-4" value=""><label for="mce-group[3]-3-4" class="text-style-form-label ml-2">#SophosLife</label></li> </ul> </div> <div aria-hidden="true" style="position: absolute; left: -5000px;"> <input type="text" name="b_2a2849a8c809119f4bd4929cc_8d6471d831" tabindex="-1" value=""> </div> <div class="clear"> <input type="submit" name="subscribe" id="mc-embedded-subscribe" class="round-button round-button--primary" value="Subscribe"> </div> </div> </form> </div> </div> </div> </div> <footer class="bg-white border-t border-sophos-gray-200 " x-data="{ languageMenu: false, privacyMenu: false, legalMenu: false }" > <div class="container"> <div class="md:flex-row md:items-center flex flex-col justify-between py-8"> <div class="flex items-baseline flex-grow space-x-6">  <div class="relative mr-auto"> <a href="#" class="whitespace-nowrap font-sansMedium text-sophos-gray-600 inline-block text-xs font-medium leading-tight" @click.prevent="languageMenu = !languageMenu" @click.away="languageMenu = false" > Change Region <svg xmlns="http://www.w3.org/2000/svg" width="8" height="4" class="inline-block transition-transform transform" :class="{'rotate-180': languageMenu }" > <path fill="#7F8C9D" fill-rule="evenodd" d="M4 2.178L5.915.262a.708.708 0 01.996 0 .702.702 0 010 .995L4.75 3.415A.7.7 0 014 3.94a.702.702 0 01-.751-.524l-2.16-2.158a.702.702 0 11.996-.995L4 2.178z" /> </svg> </a>  <div class="focus:outline-none border-sophos-gray-200 absolute bottom-0 left-0 w-48 px-4 py-1 py-4 mb-8 -ml-4 origin-bottom-left bg-white border rounded-md shadow-md" role="menu" aria-orientation="vertical" aria-labelledby="user-menu" x-show="languageMenu" x-cloak x-transition:enter="transition-all ease-out duration-100" x-transition:enter-start="transform opacity-0 scale-95" x-transition:enter-end="transform opacity-100 scale-100" x-transition:leave="transition ease-in duration-75" x-transition:leave-start="transform opacity-100 scale-100" x-transition:leave-end="transform opacity-0 scale-95" > <ul class="font-sansMedium text-sophos-gray-600 space-y-1 text-xs font-medium" > <li> <a href="https://news.sophos.com/es-419"> América Latina </a> </li> <li> <a href="https://news.sophos.com/pt-br"> Brasil </a> </li> <li> <a href="https://news.sophos.com/de-de"> Deutschland </a> </li> <li> <a href="https://news.sophos.com/en-us"> English </a> </li> <li> <a href="https://news.sophos.com/fr-fr"> France </a> </li> <li> <a href="https://news.sophos.com/es-es"> Iberia </a> </li> <li> <a href="https://news.sophos.com/it-it"> Italia </a> </li> <li> <a href="https://news.sophos.com/ja-jp"> Japan </a> </li> </ul> </div> </div>  <a href="https://www.sophos.com/en-us/legal/sophos-website.aspx" class="whitespace-nowrap font-sansMedium text-sophos-gray-600 inline-block ml-auto text-xs font-medium leading-tight" >Terms</a >  <span class="relative"> <a href="#" class="whitespace-nowrap font-sansMedium text-sophos-gray-600 inline-block text-xs font-medium leading-tight" @click.prevent="privacyMenu = !privacyMenu" @click.away="privacyMenu = false" > Privacy <svg xmlns="http://www.w3.org/2000/svg" width="8" height="4" class="inline-block transition-transform transform" :class="{'rotate-180': privacyMenu }" > <path fill="#7F8C9D" fill-rule="evenodd" d="M4 2.178L5.915.262a.708.708 0 01.996 0 .702.702 0 010 .995L4.75 3.415A.7.7 0 014 3.94a.702.702 0 01-.751-.524l-2.16-2.158a.702.702 0 11.996-.995L4 2.178z" /> </svg> </a> <div class="focus:outline-none border-sophos-gray-200 absolute bottom-0 left-0 w-48 px-4 py-1 py-4 mb-8 -ml-4 origin-bottom-left bg-white border rounded-md shadow-md" role="menu" aria-orientation="vertical" aria-labelledby="user-menu" x-show="privacyMenu" x-cloak x-transition:enter="transition-all ease-out duration-100" x-transition:enter-start="transform opacity-0 scale-95" x-transition:enter-end="transform opacity-100 scale-100" x-transition:leave="transition ease-in duration-75" x-transition:leave-start="transform opacity-100 scale-100" x-transition:leave-end="transform opacity-0 scale-95" > <ul class="font-sansMedium text-sophos-gray-600 space-y-1 text-xs font-medium" > <li> <a href="https://www.sophos.com/en-us/legal/sophos-group-privacy-policy.aspx" > Privacy Notice </a> </li> <li> <a href="https://www.sophos.com/en-us/legal/cookie-information.aspx" > Cookies </a> </li> </ul> </div> </span>  <span class="relative"> <a href="#" class="whitespace-nowrap font-sansMedium text-sophos-gray-600 inline-block text-xs font-medium leading-tight" @click.prevent="legalMenu = !legalMenu" @click.away="legalMenu = false" > Legal <svg xmlns="http://www.w3.org/2000/svg" width="8" height="4" class="inline-block transition-transform transform" :class="{'rotate-180': legalMenu }" > <path fill="#7F8C9D" fill-rule="evenodd" d="M4 2.178L5.915.262a.708.708 0 01.996 0 .702.702 0 010 .995L4.75 3.415A.7.7 0 014 3.94a.702.702 0 01-.751-.524l-2.16-2.158a.702.702 0 11.996-.995L4 2.178z" /> </svg> </a> <div class="focus:outline-none border-sophos-gray-200 absolute bottom-0 left-0 w-48 px-4 py-1 py-4 mb-8 -ml-4 origin-bottom-left bg-white border rounded-md shadow-md" role="menu" aria-orientation="vertical" aria-labelledby="user-menu" x-show="legalMenu" x-cloak x-transition:enter="transition-all ease-out duration-100" x-transition:enter-start="transform opacity-0 scale-95" x-transition:enter-end="transform opacity-100 scale-100" x-transition:leave="transition ease-in duration-75" x-transition:leave-start="transform opacity-100 scale-100" x-transition:leave-end="transform opacity-0 scale-95" > <ul class="font-sansMedium text-sophos-gray-600 space-y-1 text-xs font-medium" > <li> <a href="https://www.sophos.com/en-us/legal.aspx" > General </a> </li> <li> <a href="https://www.sophos.com/en-us/legal/modern-slavery-act-transparency-statement.aspx" > Modern Slavery Statement </a> </li> <li> <a href="https://secure.ethicspoint.eu/domain/media/en/gui/104916/index.html" > Speak Out </a> </li> </ul> </div> </span>  <div class="md:ml-6 mt-2 md:mt-0"> <span class="whitespace-nowrap font-sansMedium text-sophos-gray-600 inline-block text-xs font-medium leading-tight" > © 1997 - 2024 Sophos Ltd. All rights reserved </span> </div> </div> </div> </div> </div> </footer> <div id="amp-mobile-version-switcher" hidden> <a rel="" href="https://news.sophos.com/en-us/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores/?amp=1"> Go to mobile version </a> </div> <script type="text/javascript" id="sophos-js-core-js-extra"> /* <![CDATA[ */ var PG8Data = {"startPage":"1","maxPages":"1","nextLink":""}; /* ]]> */ </script> <script type="text/javascript" src="https://news.sophos.com/_static/??-eJyVjFEOwiAQBS8ku0Ka1H4Yz0LIpgVlIexqPb6YXqAk72sy83CvJhRWYkXdKJOglLoVYdrFuKudMUlfl8ozkvk4cGA7gANAkgue+gilDdj01eblvH8geGt8jVfB5+rjysNh9U2Z2nC3+uHkz3r0yHc7O7dM9rZM6Qegq6BH" ></script><script type="text/javascript" src="https://unpkg.com/alpinejs@2.8.1/dist/alpine.js?ver=2.0.3" id="alpine-js-js"></script> <script type="text/javascript" src="https://news.sophos.com/wp-content/themes/sophosnews-2017/js/sophos-mc-validate.js?m=1730121999g" ></script><script type="text/javascript" src="https://stats.wp.com/e-202448.js" id="jetpack-stats-js" data-wp-strategy="defer"></script> <script type="text/javascript" id="jetpack-stats-js-after"> /* <![CDATA[ */ _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"166161023\",\"post\":\"87362\",\"tz\":\"-5\",\"srv\":\"news.sophos.com\",\"hp\":\"vip\",\"j\":\"1:14.0\"}") ]); _stq.push([ "clickTrackerInit", "166161023", "87362" ]); /* ]]> */ </script> </body> </html>