<— Back

Sha Zhu Pan : The Cryptocurrency cocktail that started in Asia but is conquering the world

We were contacted by a vulnerable user who lost around $85,000 investing in a fake app. When we started digging into this malware, we started to understand that this is a deeper rabbit hole that started in Asia and is spread worldwide. We have been contacted by several victims, including someone who lost up to a million dollar to this organized crime. In Sha Zhu Pan or also known as CryptoRom, the victims are singles who are looking for potential partners on dating sites. Crooks use stolen celebrity profiles and contact the victim out of the blue. They entice their victims by talking nicely and then moving the conversation to messaging apps like WhatsApp. They never disclosed their faces or met in person, citing Covid-19. After getting familiar and spending time with their new partners, they talk victims into trading and big investments, usually calling themselves investors or bankers. Victims are asked to install fake trading or cryptocurrency applications. Initially, crooks invest some money and let the victim make a profit. Once the victim starts believing them, they are asked to invest large amounts. To avoid tracing investment happens through Crypto apps like Binance. After this, they are never allowed to withdraw, repeatedly denied, or asked to invest more, citing fake taxes or fees. On the tech side, the crooks target both Apple iOS (Apps and Web Clips) and Android users. They create fake App store and Play store look-alike pages for downloads. To bypass the iOS app store, they use Apple Ad hoc distribution (Super signature), Enterprise program (Enterprise signature) using stolen certificates or Apple Test Flight feature (Test Flight signature) using third-party commercial services. Victims must click a link, then they walk through the entire process. On the web side, they create well-known trading app look-alike sites with real-time data obtained through real sites to convince users. We obtained a couple of bitcoin wallet addresses shared by victims with one linked to a $1.4 million total payment and another up to $464million. This is a worldwide problem with several victims losing hundreds of thousands including someone who lost up to $1million. We want to share our presentation with a wider audience to create awareness and increase research on this malware.

Jagadeesh Chandraiah

Jagadeesh Chandraiah is a senior malware researcher at SophosLabs, specializing in mobile malware analysis. Jagadeesh has been working at SophosLabs for over 10 years. Jagadeesh started working on Windows malware analysis and is currently focusing on mobile malware analysis. Jagadeesh has a Master’s degree in computer systems security from the University of South Wales.

Jagadeesh likes to track malware, research and find novel ways to detect and remediate them. Jagadeesh is a frequent contributor to the SophosLabs Uncut blog and has written blog posts about several mobile malware topics. Jagadeesh also regularly presents his research at international security conferences and in the past has presented his research at DeepSec, AVAR, CARO, and Virus Bulletin.

Outside of work, Jagadeesh enjoys playing badminton.

Xinran Wu

Xinran Wu graduated from the University of New South Wales in Australia. He has been working as a threat researcher at SophosLabs for over six years, where he has been reversing and analysing malware for various platforms. His current research areas include Mac threats, and also Android threats. Xinran enjoys reading and playing tennis in his free time