Russian banks circumvent App Store sanctions with “Trojan horses”

After the war against Ukraine, the Russia became the target of sanctions from the United States, the European Union and other countries. As a result, Russian companies and banks were also targeted by the actions, which prohibit, among other things, relations with certain companies in the country.

O Apple Pay, for example, stopped working there in 2022, as did search ads in the Russian App Store. Thousands of apps had to be removed from the store in the country because they belonged to sanctioned companies.

Just as was done with Apple Pay, however, Russian banks found a way to circumvent sanctions and make their apps available, even if hidden. The developer identified as “Wukko” detailed the process through which at least two banks in the country created “facade” apps and, within them, inserted “Trojan Horses” with their apps.

Russian banks Sber e Tinkoff Investments were the ones that the developer discovered were using this loophole. In the case of the first, an app is shown on the App Store that has — apparently — nothing to do with the bank, functioning as a debt monitoring utility.

The key to the trick is the fact that, after downloading the app, it identifies the user’s IP address and location. For users from Western countries, the app continues to appear fake. However, if the user is from Russia, the bank app itself is shown, as if it were a Trojan Horse.

The app file is stored on a (in theory) third-party server, with a URL that does not contain the name of the bank, but is from a cloud service that belongs to the bank. After identifying the user’s location, the file changes to the Sber app, depending on where the person is. Interestingly, the file link path is redirected to a page with the bank’s app in Android format.

Something that draws attention and that could have been noticed by the App Store in the app review process is that its size increased between different versions. The first had 37.8 megabytes, with just libraries, the second, 57.8MB and the third, 232.8MB, with the bank app within what was being advertised in the app store.

Tinkoff uses a similar procedure, offering an app called InvestCalendar, which shows the share prices of different companies per day. It also requests a settings file, but instead of returning different results depending on the request, it blocks requests from users outside of Russia, so the app doesn’t change its facade interface.

The app crashes when opened for the first time from a Russian IP address due to saving the change state and, on the next opening, it transitions to the bank app itself, also hidden. In this case, the same increase in the size of the app was observed throughout different versions, going from 5.2MB in the first to 93.5MB in the fourth and 159.6MB in the sixth.

The developer then concluded that Apple’s app review is selectively rigorous, only being demanding when it benefits the company. This type of procedure can, as he recalls, be used to spread malware, instead of “just” bank apps.

As highlighted by AppleInsider, Maçã has already taken action to remove apps from the App Store. The store’s guidelines prohibit apps with fake resources, in addition to establishing that apps involving finance and investment must be submitted by the financial institutions themselves. It is also prohibited to arbitrarily restrict the use of the app based on location, operator and the like.