Cybercriminals are laundering stolen funds through ordinary people, thanks to a small ecosystem of user-friendly apps that can turn any mobile user into an unwitting money mule.

A new report from Cloud SEK details one such app: “XHelper,” an Android platform that connects scammers with citizens of India, whose job is to quickly receive and pass on stolen funds to shadowy third-parties. It sports a clean, user-friendly interface that makes the entire process rather simple, and serves to obscure both the nature of the payments, and who’s on the other end of each transaction.

The app is enabling pig butchering, task, loan, and ecommerce scams, and illegal gambling operations, at a massive scale. It currently sports around 37,000 active users with around 16,000 verified bank accounts, and moves a massive 160 million rupees per day (just under US $2 million).

And besides XHelper, CloudSEK researcher Sparsh Kulshehtra notes, “Our research has identified similar schemes in other countries, highlighting the need for a united front against money laundering using unsuspecting individuals.”

How XHelper Works

Last summer, Chinese cybercriminals caught around 40,000 individuals in five continents in a loan scam. To obscure so many ill-gotten earnings, they called upon a network of hundreds of thousands of online payment accounts.

This was how researchers first caught whiff that, besides the scam itself, something underneath it was deeply wrong, too. It led them to XHelper, an app designed not just to hide the sources of money, but also its own purpose from its users.

XHelper is distributed online by fake “money transfer” businesses. New members are recruited by “agents” — individuals on Telegram posing as representatives of successful businesses, which need help managing their high…

