Fake Google Play Store Used in “Mammoth” Scam Scheme

By Ava McKinneyOnline Safety

Fake Google Play Store Used in “Mammoth” Scam Scheme

Experts from FACCT have discovered a new version of the “Mammoth” scam scheme, which uses a fake Google Play Store. Under the pretense of arranging product delivery, scammers ask victims to download and install a mobile app for a classifieds service from the fake store. In reality, this app is a spyware Android trojan. The malware allows criminals to secretly withdraw money from the victim’s account—the average amount stolen is 67,000 rubles.

How the “Mammoth” Scam Works

In the classic “Mammoth” scheme, scammers steal money and bank card data from victims by pretending to arrange fake purchases and deliveries from popular marketplaces, rental properties, or rideshares. As of late summer 2023, there were 17 active criminal groups in Russia operating under the “Mammoth” scheme.

In September, experts discovered a new “Mammoth” scam community using Android trojans in their attacks. In this updated scheme, scammers no longer ask victims to enter their bank card details on a phishing website. Instead, they offer to install a mobile app for a classifieds service with delivery. The hidden spyware can intercept entered bank card data and incoming SMS codes to steal money from accounts at Russian banks.

Step-by-Step Breakdown of the Scam

  • Scam participants (“workers”) create fake product listings in a special Telegram bot and receive a link to download the mobile app—an APK file.
  • When a buyer is found and ready to pay, scammers persuade the victim to continue the conversation in a messenger app (so the classifieds platform doesn’t block the link to the malicious app) and to download the app, supposedly to arrange delivery.
  • The scammer claims to be a sole proprietor, and says that to purchase goods with delivery (usually popular electronics, clothing, or shoes), clients must use a special program.
  • Following the link, the victim sees a fake Google Play page and is prompted to download and install a mobile app that closely mimics the look and functionality of real online platforms. Here, the buyer is offered to arrange delivery.
  • At the payment stage, the trojan intercepts and sends the entered bank card data to a member of the criminal group, and then intercepts incoming SMS with confirmation codes to steal money from the victim’s account.

Impact and Losses

According to researchers, in September 2023, bank clients in both Russia and Belarus were affected by this scam. In just 10 days in September, scammers managed to steal nearly 3,000,000 rubles using fake apps under the updated “Mammoth” scheme, carrying out 76 withdrawals. On average, each victim lost 67,000 rubles.

Leave a Reply