The Royal Malaysia Police recently reported that there were 98,607 instances of online fraud between 2017 and 2021 totalling RM3.3 billion. According to this report, love scams are one of the leading ways Malaysians are tricked out of handing over their money.

Given this, it is no surprise that Sophos, as a global cybersecurity leader, has discovered new insight in the art of romance swindle involving an international cryptocurrency trading scam called, CryptoRom. The new research by Jagadeesh Chandraiah, senior threat researcher, SophosLabs is based on first-hand accounts shared with Sophos by victims of the scam, which targets iPhone and Android users through popular dating apps, such as Bumble and Tinder.

Criminals adopt a fake online identity to gain a victim's affection and trust. After getting them to fall in love via these dating and social media sites, the criminals will persuade them into jointly "investing" in cryptocurrencies, on fake popular trading apps. Furthermore, when victims try to withdraw their investments from these fake trading schemes, their accounts were frozen and they were charged up to hundreds of thousands of dollars in fake "profit tax" to regain access.

Here's the download on some of these fraudulent mobile apps and websites, as well as the social engineering techniques used by malware operators, including a new type of abuse leveraging Apple iOS's software distribution to bypass the App Store's security screening.

Sophos has identified that Apple's TestFlight is being abused by CryptoRom authors. This feature is used for testing the "beta" version of applications before they are submitted to the App Store for distribution. Apple supports the use of TestFlight app distribution in two ways: for smaller internal application tests are sent out by up to 100 users via email invitation, and larger public beta tests supporting up to 10,000 users. The smaller email-based distribution approach requires no App Store security review, while TestFlight apps shared by public web links require an initial review of code built by the App Store.

Unfortunately, just as Sophos has seen happen with other alternative app distribution schemes supported by Apple, "TestFlight Signature" is available as a hosted service for alternative iOS app deployment, making it all too simple for malware authors to abuse.

Some of the victims who contacted Sophos reported that they had been instructed to install what appeared to be BTCBOX, an app for a Japanese cryptocurrency exchange. We also found fake sites that posed as the cryptocurrency mining firm BitFury peddling fake apps through Test Flight. No surprise, these apps for both Android and iOS were distributed through a fraudulent website.

The majority of the iPhone users also reported that they were lured with another approach to bypassing the App Store: they were sent URLs serving iOS WebClips. WebClips are a mobile device management payload that adds a link to a web page directly to the iOS device's home screen making it look like a typical application, duping the users.

While investigating one of the CryptoRom URLs, Jagadeesh and the SophosLabs team found related IPs that were hosting App store lookalike pages with a similar template, but with varying names and icons. The "apps" included one that mimics the popular Robinhood trading application, called 'RobinHand.'

In addition to App store pages, all these fake pages also had linked websites with similar templates to convince users-different brands and icons, but similar web content and structure. This is probably done to quickly move on from one cryptocurrency brand to another when they get blocked or found out.

As for the Android versions of these fake apps, the trend of using easy, low effort app development tools continues. Most of the CryptoRom-connected Android apps we have seen are essentially wrapped web applications with minimal code that connects to suspicious URLs.

These scams use a number of approaches to build a relationship with their targets without ever meeting them face to face instead using dating sites and apps, as well as other social networking platforms, to find new victims. Sometimes, they were initiated through seemingly random WhatsApp messages offering the users investment and trading tips, including links to CryptoRom site URLs. Often these messages included promises of huge financial returns.

Because the fake apps targets are directed to mimic popular brands, the targets are often convinced that they are transacting with legitimate companies. But the most important factor in these scams, based on online conversations, appears to be that the criminals allow targets to initially make withdrawals from the fake accounts after taking "profits." Victims are allowed to withdraw their initial investment as a confidence-building measure, but then the fake romantic partner or "friend" urges the victim to reinvest even more for a big event. To sweeten the pot, they even offer to "lend" the target a huge sum to increase the investment; since they control the back-end of the app, they can inject fake deposits on accounts and create imaginary profits at will.

The scam doesn't end with just fooling victims into investing. When victims try to withdraw funds from their big "profit," the scammers use the app to inform them that they need to pay a "tax" of 20% of their profits before funds can be withdrawn-and threaten that all their investments will be confiscated by tax authorities if they do not pay.

These scams are well-organised and skilled in identifying and exploiting vulnerable users. As such, here are some of Sophos's top tips to help you stay clear of online scammers: