Reported by Nate Nelson

Cybercriminals are laundering stolen funds through ordinary people, thanks to a small ecosystem of user-friendly apps that can turn any mobile user into an unwitting money mule.

A new report from Cloud SEK details one such app: “XHelper,” an Android platform that connects scammers with citizens of India, whose job is to quickly receive and pass on stolen funds to shadowy third-parties. It sports a clean, user-friendly interface that makes the entire process rather simple, and serves to obscure both the nature of the payments, and who’s on the other end of each transaction.

The app is enabling pig butchering, task, loan, and ecommerce scams, and illegal gambling operations, at a massive scale. It currently sports around 37,000 active users with around 16,000 verified bank accounts, and moves a massive 160 million rupees per day (just under US $2 million).

And besides XHelper, CloudSEK researcher Sparsh Kulshehtra notes, “Our research has identified similar schemes in other countries, highlighting the need for a united front against money laundering using unsuspecting individuals.”

How XHelper Works

Last summer, Chinese cybercriminals caught around 40,000 individuals in five continents in a loan scam. To obscure so many ill-gotten earnings, they called upon a network of hundreds of thousands of online payment accounts.

This was how researchers first caught whiff that, besides the scam itself, something underneath it was deeply wrong, too. It led them to XHelper, an app designed not just to hide the sources of money, but also its own purpose from its users.

XHelper is distributed online by fake “money transfer” businesses. New members are recruited by “agents” — individuals on Telegram posing as representatives of successful businesses, which need help managing their high volumes of daily transactions. Agents earn bonuses for each new recruit so that the laundering network grows larger and larger and, therefore, more robust.

Like any other gig economy app, recruits register their (payment) information and then begin taking on jobs: in this case, receiving money from one party, and within minutes passing it on to another.

Users earn a cut of the spoils (between 0.2-0.3%), which scales as they complete more jobs, earn good ratings for them, and add more bank accounts. Beginner users might only move 10,000 or 20,000 rupees a day via one or two bank accounts, and earn a few hundred rupees (less than five dollars) for their troubles. The highest-level users move tens of millions in an average day, and earn back thousands. The app’s top three users — “shahbaz,” “Register26,” and “Ranjan1982” — have earned themselves more than 12 million rupees (~$145,000) and counting.

Read full report: https://www.darkreading.com/threat-intelligence/xhelper-all-in-one-android-app-global-money-laundering