Pig Butchering Scam: Fake Trading Apps Target Victims Worldwide

A global fraud campaign involving fake trading applications, published in the Apple App Store and Google Play, was recently uncovered by researchers from Group-IB. These applications and phishing sites were used to deceive victims and steal their funds.

The fraud scheme is tied to the Pig Butchering tactic, where attackers gradually earn the trust of their victims through virtual interactions—both romantic and disguised as investment advice. They then persuade the victims to invest in cryptocurrency or financial instruments. Such schemes often result in victims losing their investments, and in some cases, they are coerced into making additional payments under various pretexts.

The fraudulent operation, identified by Group-IB as UniShadowTrade, has been active since mid-2023. Utilizing apps built on the UniApp Framework, the perpetrators targeted victims worldwide, including in the Asia-Pacific region, Europe, the Middle East, and Africa. One of the applications even bypassed Apple’s verification system, increasing its credibility among users.

The SBI-INT app, which has since been removed from the App Store, posed as a program for mathematical calculations and graphing, but in reality, it used time and date verification to conceal its true purpose until a specific moment. After being taken down from the official store, the attackers shifted to distributing the app through phishing websites.

To install the fake application on iOS, victims were prompted to download a “.plist” file and manually grant permission to the developer profile. Once these steps were completed, the app became fully operational, requesting the user’s phone number and password to log in. The registration process required an invitation code, indicating a targeted deception strategy.

The entire process involves six steps, including identity verification, providing personal details, and job information. Victims are then asked to agree to the service’s terms to make investments. After depositing funds, the attackers “recommend” investing in specific financial instruments, promising high returns, and the app shows the investments growing to keep victims engaged in the scheme.

However, despite the enticing promises, any attempts to withdraw funds are blocked, and victims are asked to pay additional fees to “recover” their initial investments. In reality, the funds are stolen and transferred to the criminals’ accounts.

The cybercriminals also employ tactics to obscure their activities using built-in configurations that define the URL where the login page is hosted. This approach makes it difficult to detect and analyze the fraudulent activity.

During their analysis of the malicious campaign, Group-IB experts identified fraudulent apps named FINANS INSIGHTS and FINANS TRADER6 on the Google Play platform. These Android applications were available for download in Japan, South Korea, Cambodia, Thailand, and Cyprus, but have now been removed. According to statistics, they were downloaded fewer than 5,000 times.

Experts advise exercising caution when following unknown links, avoiding interactions with strangers on social media and dating sites, and thoroughly vetting investment platforms and applications before downloading them, including checking user ratings and reviews.