Apr 08, 2024NewsroomInvestment Scam / Mobile Security

Google has filed a lawsuit against two app developers for engaging in an “international online consumer investment fraud scheme” that tricked users into downloading bogus Android apps from the Google Play Store and other sources and stealing their funds under the guise of promising higher returns.

The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka Zhang Hongnim or Stanford Fischer), who are believed to be based in Shenzhen and Hong Kong, respectively.

The defendants are said to have uploaded about 87 crypto apps to the Play Store to pull off the social engineering scam since at least 2019, with over 100,000 users downloading them and leading to substantial financial losses.

“The gains conveyed by the apps were illusory,” the tech giant said in its complaint. “And the scheme did not end there.”

“Instead, when individual victims attempted to withdraw their balances, defendants and their confederates would double down on the scheme by requesting various fees and other payments from victims that were supposedly necessary for the victims to recover their principal investments and purported gains.”

While this kind of scam is typically referred to as pig butchering (aka shā zhū pán), Google said it “neither adopts nor endorses the use of this term.” It’s derived from the idea that victims are fattened up like hogs with the promise of lucrative returns before “slaughtering” them for their assets.

In September 2023, the U.S. Financial Crimes Enforcement Network (FinCEN) said these scams are perpetrated by criminal enterprises based in Southeast Asia that employ hundreds of thousands of people who are trafficked to the region by promising them high-paying jobs.

The fraudulent scheme entails the scammers using elaborate fictitious personas to target unsuspecting individuals via social media or dating platforms, enticing them with the prospect of a romantic relationship to build trust and convince them to invest in cryptocurrency portfolios that purport to offer high profits within a short span of time with an aim to steal their funds.

To create the appearance of legitimacy, the financially motivated actors are known to fabricate websites and mobile apps to display a bogus investment portfolio with large returns.

Sun and Cheung, said Google, lured victim investors to download their fraudulent apps through text messages using Google Voice to target victims in the U.S. and Canada. Other distribution methods include affiliate marketing campaigns that offer commissions for “signing up additional users” and YouTube videos promoting the fake investment platforms.

The company described the malicious activity as persistent and continuing, with the defendants “using varying computer network infrastructure and accounts to obfuscate their identities, and making material misrepresentations to Google in the process.”

It also accused them of violating the Racketeer Influenced and Corrupt Organizations Act (RICO), carrying out wire fraud, and breaching the Google Play App Signing Terms of Service, Developer Program Policies, YouTube’s Community Guidelines, as well as the Google Voice Acceptable Use Policy.

“Google Play can continue to be an app-distribution platform that users want to use only if users feel confident in the integrity of the apps,” Google added. “By using Google Play to conduct their fraud scheme, defendants have threatened the integrity of Google Play and the user experience.”

It’s worth noting that the problem is not limited to the Android ecosystem alone, as prior reports show that such bogus apps have also repeatedly made their way to the Apple App Store.

The development is the latest in a series of legal actions that Google has taken to avoid the misuse of its products. In November 2023, the company sued multiple individuals in India and Vietnam for distributing fake versions of its Bard AI chatbot (now rebranded as Gemini) to propagate malware via Facebook.

Mar 22, 2024NewsroomPrivacy / Encryption

The U.S. Department of Justice (DoJ), along with 16 other state and district attorneys general, on Thursday accused Apple of illegally maintaining a monopoly over smartphones, thereby undermining, among others, security and privacy of users when messaging non-iPhone users.

“Apple wraps itself in a cloak of privacy, security, and consumer preferences to justify its anticompetitive conduct,” the landmark antitrust lawsuit said. “Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple’s financial and business interests.”

“Apple selectively compromises privacy and security interests when doing so is in Apple’s own financial interest – such as degrading the security of text messages, offering governments and certain companies the chance to access more private and secure versions of app stores, or accepting billions of dollars each year for choosing Google as its default search engine when more private options are available.”

The sprawling complaint also alleged that iPhone users who message a non-iPhone user via the Messages app are defaulted to the less secure SMS format (as opposed to iMessage) that lacks support for encryption and offers limited functionality. On the other hand, iMessage is end-to-end encrypted (E2EE) and is even quantum-resistant.

It’s worth noting at this stage that iMessage is only available on the iPhone and other Apple devices. Apple has repeatedly said it has no plans of making iMessage interoperable with Android, even stating that doing so will “will hurt us more than help us.”

Furthermore, the 88-page lawsuit called out the iPhone maker for blocking attempts by third-parties to bring secure cross-platform messaging experience between iOS and Android platform.

In December 2023, Beeper managed to reverse engineer the iMessage protocol and port the service to Android through a dedicated client called Beeper Mini. Apple, however, has shut down those efforts, arguing that Beeper “posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks.”

These limitations have a powerful network effect, driving consumers to continue buying iPhones and less likely to switch to a competing device, the DoJ said, adding, “by rejecting solutions that would allow for cross-platform encryption, Apple continues to make iPhone users’ less secure than they could otherwise be.”

The development comes as Apple is facing more scrutiny than ever to open up its tightly-controlled software ecosystem — the so-called “walled garden” — which regulators say locks in customers and developers. Other major tech giants like Microsoft, Google, Amazon, and Meta have all dealt with similar lawsuits in recent years.

Apple, in a surprise move late last year, announced that it intends to add support for Communication Services (RCS) – an upgraded version of the SMS standard with modern instant messaging features – to its Messages app. It also said it will work with the GSMA members to integrate encryption.

In response to the lawsuit, Cupertino said it will “vigorously defend” itself and that the lawsuit “threatens who we are and the principles that set Apple products apart in fiercely competitive markets.” It also said that DoJ winning the lawsuit would “set a dangerous precedent, empowering the government to take a heavy hand in designing people’s technology.”