Author

Topic: A fake app in apple app store stole his life savings in bitcoin (Read 471 times)

hero member
Activity: 1778
Merit: 722
Leading Crypto Sports Betting & Casino Platform
This one is a very common way to earn some bitcoin for scammers. They create an app and upload it on app store or google store and wait for some people to download and use the app. Imagine 100K people downloading and using the app, at lest 500 newbies will actually use and trust the app. Now if you consider only 10 bucks per victim this would be 5000 bucks in total just for creating an stupid app to scam some money from the newbies which is really bug amount of money. The way we can stand against these scammers if to start educating the newbies and teach them how to stay safe from the scammers.
hero member
Activity: 2296
Merit: 506
Cryptocasino.com
For this reason we have to be more careful about downloading any app from google play store or apple store. Besides, google and apple should take necessary steps to remove this kind of fake app. We should remember that our asset is more important than an app.
I think inspecting app like this kinda hard and takes too much time. I wonder what kind of method they use to inspect and filter these app but I assume the go through the code and inspecting it whether automatically or manually but there's always hit and miss since in programming an implementation could have various form. At this point it's just better to download app directly from the official website of these wallets provider.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
*snip*

The ratio of Android and Apple users aside, the fact is, it is indeed harder to get shady apps(or apps in general to be verified) into the Apple ecosystem. I know this from experience and from the few app developers that I know. But of course, no matter how strict a platform is, it doesn't necessarily mean that shady stuff isn't guaranteed to get blocked and isn't going to get in.

tldr; Apple is doing far better than Google in terms of blocking shady apps; but nothing is truly 100% scam-safe.
legendary
Activity: 2674
Merit: 1226
Livecasino, 20% cashback, no fuss payouts.
Nothing new this is why we have Scam Accusations boards and more to keep awareness to the other member also to the people about the fake application this is the reason why other people give a bad image to the bitcoin or in other coins because of that application which is not a legit or reliable only thing they do is to scam mostly the beginners. To make sure it's safe it's better to research the application and double-check if this is the legit one else report immediately so google or another app store will remove this app. Also, check the developer if the same as the original. AFAIK Apple has better application security than the other brands because they focus on the security for their users.

No, Scam accusations is for the forum strictly. To warn people of services and people who you can't tell could be scammers.

Fake apps? Fake websites? You just have to do your own protections. Bookmark correct websites. Use a password manager so you never need to enter passwords on fake websites. And apps. The worst of it all. Download only verified apps.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
While fake apps aren't really anything new to us, there's actually something slightly different in this specific case— the fact that this scam app is on the Apple App Store. Most of such cases far mostly(probably even 99%) occur on the Android Play Store.

Of course, Android as an OS is far more exposed to malicious applications because almost 72% of smartphones have it - so it makes sense to constantly hear about fake apps in Google Play Store. But that doesn't mean they're not in the Apple Apps Store and that their verification system is any better and more efficient in that regard.

Even if the human factor is involved in checking all apps (and we know that algorithms do this), the one checking should know what it is about - the app in question does not have any malicious code, but only tries to trick the user into entering their seed - you and I would never fall for such a trick, right?

As for the Apple App Store, I believe everyone should read the following article which shows what one of the iOS developers thinks about this topic.

Apple’s App Store is hosting multimillion-dollar scams, says this iOS developer
sr. member
Activity: 1554
Merit: 334
Sad but true, I guess this was inevitable and we cannot get rid of these kinds of applications unless there will be someone who will report the fake application. It may be fault of downloading the platform because they cannot able to scrutinize each and every application registered on their platform but I can't blame them as well due to the fact it would hard to manage their numerous application. However, I also believe that it was the user's fault as well because they must have checked the app first before downloading it. My advice is that when are looking for a mobile version application, it is better to check out their official website because usually, they have a link that will direct you to their official mobile application like Binance for example.
hero member
Activity: 2366
Merit: 504
and its actually takes shit ton of effort to get normal app that's not phishing or scam into the app store, apple must be joking. if any, he deserves to sue apple because if not for their app filtering method that's kinda broken he won't lose all the money.

People still believe in fishing apps and sites. Some things never changes after all this time...
differentiating nowadays' phishing apps isn't as easy as comparing an apple to orange, sometimes the phising app is very identical to the real app, and in this case the app coming from the app store where it's said to be filtered strictly by apple.
hero member
Activity: 2114
Merit: 740
Leading Crypto Sports Betting & Casino Platform
This is very sad. Truth is, it can happen to anyone. Sometimes we may be confident that we know it, yet, there's still that chance of being scammed directly or indirectly. I just hope less - no one fall for these scammers.
Anyone would not want to fall victim to a fraud like Christodoulou, ironically the fake Trezor application can bypass Apple systems which are known to be very strong for their security. We'll never know the trap they set, they will always be looking for ways to make their victims suffer.
Christodoulou misfortune will be a valuable experience for all of us to be even more careful when accessing wallets in applications that we have never used before.

hero member
Activity: 2562
Merit: 577
Nothing new this is why we have Scam Accusations boards and more to keep awareness to the other member also to the people about the fake application this is the reason why other people give a bad image to the bitcoin or in other coins because of that application which is not a legit or reliable only thing they do is to scam mostly the beginners. To make sure it's safe it's better to research the application and double-check if this is the legit one else report immediately so google or another app store will remove this app. Also, check the developer if the same as the original. AFAIK Apple has better application security than the other brands because they focus on the security for their users.

Yeah but the op or whoever was the victim can't exactly accused anyone since this an app he/she installed on his own accord,
Perhaps he can accuse the dev of the app or Apple for negligence and allowing fake app to be listed on the App store, I doubt if this will generate a positive feedback,
I would believe that downloading an app from any App store should be a lot more secured than downloading from online, this apps should have gone through the necessary security checks before approval to be listed on the App store,  but somehow fake apps still manage to find their way in, very sad.
hero member
Activity: 2604
Merit: 816
🐺Spinarium.com🐺 - iGaming casino
It seems the apple app store can not check details for every app available on their store because there are thousands of more apps that are ready to download by the user. That will be the same as the google playstore, which has thousands of apps on their store. That will be the user responsible for always checking the validity of the apps before they download and install them on their mobile phone. Please make sure that you check on the official's website and ask if you are suspicious about the apps before you download because you do not know if that app is safe for your mobile phone or the app contains a virus or malware or something like that.
legendary
Activity: 1708
Merit: 1280
Top Crypto Casino
Nothing new this is why we have Scam Accusations boards and more to keep awareness to the other member also to the people about the fake application this is the reason why other people give a bad image to the bitcoin or in other coins because of that application which is not a legit or reliable only thing they do is to scam mostly the beginners. To make sure it's safe it's better to research the application and double-check if this is the legit one else report immediately so google or another app store will remove this app. Also, check the developer if the same as the original. AFAIK Apple has better application security than the other brands because they focus on the security for their users.
legendary
Activity: 1904
Merit: 1159
While installing an app from a store is common-place. Don't such applications ask or atleast mention the permissions that the user have to give to the app. I haven't used an Iphone but it apps on android specify the permissions they are asking for.
Even though it is hard to keep track of these, Isn't it obvious that those who allow apps to be whitelisted or hosted on the platform would atleast match the behavior of app in reality in comparison to what it claims to have access for the first time.

Somebody better versed in app development and security should comment on this? If its a cryptocurrency app, the only permission it should probably have is to use the camera for scanning address QR codes.
sr. member
Activity: 2604
Merit: 338
Vave.com - Crypto Casino
Common stuff that you would really experienced if you are a fan of downloading something without taking any precaution or being too careless on installing things came online.

You know that you do have something important on your mobile or pc then you should be at least aware that downloading something neither can be safe or bad thats why further in depth
analysis would really be needed.You should make at least yourself a little bit paranoid when it comes to these kind of probabilities and that will surely save you up.

This isnt something new about phishing and malware issues.Once you do get to a point where you are being too careless then that would most likely will happen to you.
sr. member
Activity: 2366
Merit: 305
Duelbits - $100k Bonus/week
For this reason we have to be more careful about downloading any app from google play store or apple store. Besides, google and apple should take necessary steps to remove this kind of fake app. We should remember that our asset is more important than an app.
They will remove but once they receive a huge number of reports but if not, they won't do it.
I heard so many issues like these but both big companies did not take action as long as they receive money from the advertiser they will still publish this even though it is a phishing link or scam website.

Always double-check or even triple-check once had a transaction or if there is a visit that not commonly we visit.
hero member
Activity: 2814
Merit: 911
Have Fun )@@( Stay Safe
This is very unfortunate, with those amount I should be somewhat knowledgeable already by what kind of app/security measures should I use/apply to my device(s) especially if I'm storing those wealth in my phone or even on a computer or hardware wallet.
Even with all the precautions the world if we install a phishing software or an application we mess up everything and this is the sole reason using phone to store any of your valuables is the best option and i would advice anyone from doing these blunders. It is unfortunate that someone would loose everything just because they installed some application in the apple store and they need to take responsibility for including phishing applications in their store while they take actions against some applications immediately for minor infractions.
copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
This is very unfortunate, with those amount I should be somewhat knowledgeable already by what kind of app/security measures should I use/apply to my device(s) especially if I'm storing those wealth in my phone or even on a computer or hardware wallet.
hero member
Activity: 1680
Merit: 655
Apple would not name the developer of the fake Trezor app or provide the developer’s contact information. Apple wouldn’t say whether it was turning over the name to law enforcement or whether it investigated the developer further. Apple also wouldn’t say whether that developer had developed any other apps in the past or had connections to other developer accounts under different names.

WTF kind of PR response is this? A total of 1.6$ Million have been stolen through a fake app they have on their own app store and they aren't showing any kind of action for letting a fake Trezor app be available for download? Seriously a lot of people are too comfortable downloading things straight without looking for reviews and the rating as they trust both Google and Apple to have screened everything yet there is still a bunch of scams and fake apps popping around their app stores, the sad thing about here is both companies don't respond to their own users who got victimized by these fake apps. That's why if I am downloading apps I don't search it on the app store but go to the developer's website and click their app's link in their just for the peace of my mind.
sr. member
Activity: 1750
Merit: 267
For this reason we have to be more careful about downloading any app from google play store or apple store. Besides, google and apple should take necessary steps to remove this kind of fake app. We should remember that our asset is more important than an app.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
Is this something new that we should be surprised about here on the forum? Well, anyone who thinks with their head knows that every app store (on any platform) is a source of malicious applications that are accepted as legitimate, but later their owners make modifications that make them malicious. Furthermore, we could say that those who look for trouble will find it in one way or another.

While fake apps aren't really anything new to us, there's actually something slightly different in this specific case— the fact that this scam app is on the Apple App Store. Most of such cases far mostly(probably even 99%) occur on the Android Play Store.
jr. member
Activity: 49
Merit: 1
People still believe in fishing apps and sites. Some things never changes after all this time...
sr. member
Activity: 2338
Merit: 365
Catalog Websites
is not the supervision of the application at apple, very strict?
scammers are really unsettling and this time they were able to get into the list of apps in the apple store, what a surprise. Apple seems must be able to provide an answer to their negligence.
full member
Activity: 896
Merit: 104
The Standard Protocol - Solving Inflation
Stories of people losing your coins by downloading fake apps is becoming rampant and this shows that quite a lot of people are being affected by this. This is a proof that these scammers will stop at nothing to show that they can actually rip one off his hard earned money.
I think Google playstore and Apple app store should look into this. How did these fake apps get into the store in the first place? One should have some level of assurance by downloading apps from the store and not just from the web.
I should feel secured downloading from the store and not afraid that I might be scammed by downloading a fake app
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Summary:  fake apps in google & apple app stores are stealing cryptocurrency.

This case is interesting in that I have not seen it receive much attention in terms of what approved safe methods of handling crypto are. Common rule of thumb is having sole access to private key. Not using browser wallets. But there is almost nothing said about avoiding 3rd party apps or browser plug ins which are sometimes known to be utilized to steal crypto.

Is this something new that we should be surprised about here on the forum? Well, anyone who thinks with their head knows that every app store (on any platform) is a source of malicious applications that are accepted as legitimate, but later their owners make modifications that make them malicious. Furthermore, we could say that those who look for trouble will find it in one way or another.

Situations like this only prove that the weakest link in the safety chain is a man who, thanks to his ignorance, does things which are completely irrational. Even if someone downloads an app that is fake, how stupid is it to believe that your seed needs to be put into it? It is a basic ignorance that is widespread in the crypto community and for which any malicious person can profit today.



Quote
But Christodoulou is angrier at Apple than at the thieves themselves: He says Apple marketed the App Store as a safe and trusted place, where each app is reviewed before it is allowed in the store.

It confirms everything I have already written above, because how to call a man who has 17 BTC and does not know how important it is not to share the seed with anyone. Part of the blame is certainly on Apple and Google in situations like this, but the biggest is on users who haven’t learned even the most basic thing to protect themselves.
member
Activity: 297
Merit: 40
This is sad and this story is happening because there are already a lot of users who already experienced the same things as they have lost their bitcoin from a fake crypto wallet. Not only for downloading and installing fake application a wallet can be hacked and lost your money, but there are also a lot of ways that hackers can do about it, as long as you are connected to the internet, there is still a huge possibility that you may get hacked or even scammed especially those who don't have good enough knowledge about scamming and hacking.

Google and Apple should take an action for this thing, I don't even know how the dake application enters a google play store.
legendary
Activity: 2954
Merit: 1153
However, Apple also needs to in charge of the issue. They always claim that their app store is the most secure web store in the world but apparently, there many people losing their money from those "Verified" apps

Apple should take responsibility for this since they marked the app safe to use.  The user wouldn't use the app if it was never on the app store.  I would love to hear apple side on this but sadly it seems they are not saying anything regarding the issue.  Looks like they are playing safe on this one.
hero member
Activity: 3164
Merit: 937
This is nothing new.Malicious and fake smartphone apps have been a problem for years,and Google and Apple aren't going much in order to stop the scammers.It costs a $25 one-time fee to open a Google Play developer account and submit apps on the Google Play store.I don't know how the newly submitted apps are being reviewed,but there's not enough control for sure.
Newbies should be aware about all the smartphone app scams.They must use only proven and verified apps,that belong to trusted companies inside the crypto industry.
sr. member
Activity: 750
Merit: 258
I heard the story yesterday. What a poor guy. $600,000 is a big amount of money. Furthermore, 17 bitcoin right now worth way more than $60000

Getting rid of centralization is hard because you need to be responsible for your own money and your finance in the world where are too many scammers desperate for money. Raising our awareness and education is the best way to avoid these cases. However, Apple also needs to in charge of the issue. They always claim that their app store is the most secure web store in the world but apparently, there many people losing their money from those "Verified" apps
hero member
Activity: 2114
Merit: 603
Fooling user is getting very easy these days because cloning and app is so easy that one can clone the app with app cloner. I mean come on, if they were able to make app cloner then surely App Store can be infected with full of such forged clones. It’s really bad for the industry.

I assume one should not download the apps from App Store but from the Service Providers official website itself. That’s the best way to be safe.
sr. member
Activity: 1120
Merit: 272
First 100% Liquid Stablecoin Backed by Gold
This is very sad. Truth is, it can happen to anyone. Sometimes we may be confident that we know it, yet, there's still that chance of being scammed directly or indirectly. I just hope less - no one fall for these scammers.

Sometimes it is not the company's fault when people are getting fooled by fake apps because it is the owner's responsibility to keep their device safe.

Scammers are good at making fake apps and fake schemes in order to lure their victim and there's something more for us to lose when we are not aware about this.

Apple is a famous company and yet it is prone to fake apps, device's security also depends on how the owner will manage to secure his gadget and especially digital wallets.
member
Activity: 518
Merit: 13
This man blames Apple for this incident but I don't think that Apple has the full responsibility here. You have $600k worth Bitcoin and you are not being careful about where you keep them. And this causes you to be under a big threat of getting swindled.
member
Activity: 1120
Merit: 68
Thats was a very unfortunate incident imagine that was his life savings and then in seconds it disappears. IMO, it was partly an Appstore fault because it was considered negligence on their side and why they let that fake app listed in their Appstore in the first place, this incident was also happening on Google Playstore thats why for precautionary measures check any app thoroughly for both Appstore and Playstore before using it just to make sure it was safe.
It is more than unfortunate because it is a life savings and I don't think that I would be able to live with the fact that my life saving is going to get stolen from me, I mean that amount of money that you saved for a long time is frustrating and devastating. The problem with checking apps on the Appstore is that it is difficult because the quality check before publishing it in the appstore is the first line of defense and if that were to be defeated then users will have a hard time.
legendary
Activity: 2170
Merit: 1789
IMO, it was partly an Appstore fault because it was considered negligence on their side and why they let that fake app listed in their Appstore in the first place, this incident was also happening on Google Playstore thats why for precautionary measures check any app thoroughly for both Appstore and Playstore before using it just to make sure it was safe.
According to some articles that I've read, the app was changed after it got approved by Apple. It was a tech app before (not a wallet) and then the attacker changed it when the app is no longer under scrutiny. Apple store should improve their security of course, but any crypto users should never trust these kinds of platforms in the first place. Should've checked on the official Trezor website before checking the app store.

Well, hopefully, everyone learns from this and stops losing their money due to bad security practices.
sr. member
Activity: 1610
Merit: 264
It's sad that even one of the people from Trezor itself can't even get their voice heard.
App stores these days are more like reactive rather than proactive, wherein they would just respond to people that reported the app instead of dealing with it before the incident happened.

This is why mostly I don't use mobile apps a lot. Aside that I could be connected in an unsafe network outside my home, there are many hounds attempting to make me install malicious apps.
Even sometimes I even get paranoid in installing MEW's official mobile app. Cheesy
full member
Activity: 1820
Merit: 107
Thats was a very unfortunate incident imagine that was his life savings and then in seconds it disappears. IMO, it was partly an Appstore fault because it was considered negligence on their side and why they let that fake app listed in their Appstore in the first place, this incident was also happening on Google Playstore thats why for precautionary measures check any app thoroughly for both Appstore and Playstore before using it just to make sure it was safe.
full member
Activity: 2520
Merit: 214
Eloncoin.org - Mars, here we come!
This is very sad. Truth is, it can happen to anyone. Sometimes we may be confident that we know it, yet, there's still that chance of being scammed directly or indirectly. I just hope less - no one fall for these scammers.
The saddest part is ? this is APPLE App in which the Highest and strongest security gadget provider in the world . In which majority of user believes they are very safe.

Though this is also a Users diligence yet because of the trust they gave in Apple security they tend to believe everything that pops in their Apple Store.

Try to make your Internet and Gadget using more safer , And do more secure features that we use to have now.
legendary
Activity: 1848
Merit: 1982
Fully Regulated Crypto Casino
Of course, the basic rule in Crypto says: You do not have your own keys = You do not own your coins, or in other words your private keys = your coins, the presence of a third party makes your coins under great danger, but often you are forced to deal with the services of the party Third, even in hardware wallets, you need to go to the wallet site to send your coins, for example I own a Trezor wallet, but I cannot send my coins from the wallet. I need to access the wallet via a web browser and this is a security vulnerability that can be exploited by attackers.
legendary
Activity: 1372
Merit: 2017
While I feel sorry for that person, and understand that by sheer statistics, there are people who end up getting scammed in the end, I have a hard time understanding how someone with $600,000 doesn't take more precautions. On top of that it was almost all of their life savings. I wouldn't have them just in one place. And even less would I transfer them all to my cell phone.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
Quick note: While it's far less likely for shady apps to enter the Apple App Store compared to the Google Play Store, it's still not impossible. Funnily(and sadly) enough in this case, Trezor doesn't even support iOS devices currently..
member
Activity: 868
Merit: 63
This is very sad. Truth is, it can happen to anyone. Sometimes we may be confident that we know it, yet, there's still that chance of being scammed directly or indirectly. I just hope less - no one fall for these scammers.
I agree that it can happen to anyone but the problem is that Apple boasts a security when it comes to allowing apps in there Appstore. I wouldn't really say that it is confidence because when you are confident, you are still careful falling for this is more like cockiness.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
I think it's more on Google Apps store than Apple as the later has a very tough security although hackers can still hide their intent but Apple is very active in removing this apps the soonest.
I wouldn't install anything sensitive without verifying its authenticity first. Apple doesn't allow sideloading apps and thus you can't validate the binaries before installing it. For Android, at least you can validate the signature before pushing the apk to your phone.

The problem with those apps is that they don't usually contain any malware or exploit but steals the key in a very obscure way such that it is hard to detect without any reports.
hero member
Activity: 2632
Merit: 833
I think it's more on Google Apps store than Apple as the later has a very tough security although hackers can still hide their intent but Apple is very active in removing this apps the soonest.

And this is not the first time that we have heard and going to hear this news. As part of being in crypto, it's our responsibility to really be careful as this hackers are plowing everywhere, from fake and phishing websites to malicious apps.
sr. member
Activity: 1680
Merit: 288
Eloncoin.org - Mars, here we come!
This is very sad. Truth is, it can happen to anyone. Sometimes we may be confident that we know it, yet, there's still that chance of being scammed directly or indirectly. I just hope less - no one fall for these scammers.
legendary
Activity: 2492
Merit: 1232
There are common ways to steal our crypto, as long as we are connected to the internet, we are vulnerable to hack or even attack any phishing sites.

There are too many cases of fake apps or clone websites in Scam Accusations board, the worst thing is most commonly in Google Playstore and I don't know if the Apple apps store do the same with the Google store.  The problem is, why they didn't filter those fakes apps instead, there should be a verification of the legitimacy of apps before they will accept to be downloaded by the users.

Those criminals for now are very desperate of making money, especially most people who are unemployed due to the pandemic.  We should extend our diligence upon storing our digital assets on the internet and always verify the apps that we install or even the website that we use, verify first and should always on the official websites, not on the modified ones.
legendary
Activity: 2562
Merit: 1441
Quote
Recent scams show there are holes in Apple’s safety net

March 30, 2021

Phillipe Christodoulou wanted to check his bitcoin balance last month, so he searched the App Store on his iPhone for “Trezor,” the maker of a small hardware device he uses to store his cryptocurrency. Up popped the company’s padlock logo set against a bright green background. The app was rated close to five stars. He downloaded it and typed in his credentials.

In less than a second, nearly all of his life savings — 17.1 bitcoin worth $600,000 at the time — was gone. The app was a fake, designed to trick people into thinking it was a legitimate app.

But Christodoulou is angrier at Apple than at the thieves themselves: He says Apple marketed the App Store as a safe and trusted place, where each app is reviewed before it is allowed in the store.

Christodoulou, once a loyal Apple customer, said he no longer admires the company. “They betrayed the trust that I had in them,” he said in an interview. “Apple doesn’t deserve to get away with this.”

Apple bills its App Store as “the world’s most trusted marketplace for apps,” where every submission is scanned and reviewed, ensuring they are safe, secure, useful and unique. But in fact, it’s easy for scammers to circumvent Apple’s rules, according to experts. Criminal app developers can break Apple’s rules by submitting seemingly innocuous apps for approval and then transforming them into phishing apps that trick people into giving up their information, according to Apple. When Apple finds out, it removes the apps and bans the developers, the company says. But it’s too late for the people who fell for the scam.

Crypto scams are also common on Google’s Android and on the Web. But their presence on the Apple App Store is more surprising because Apple says it curates the store and checks each app, which creates high levels of consumer trust. The 15 to 30 percent commission Apple collects on all sales on the App Store goes to fund the “highly curated” customer experience, the company has said.

“User trust is at the foundation of why we created the App Store, and we have only deepened that commitment in the years since,” said Apple spokesperson Fred Sainz. “Study after study has shown that the App Store is the most secure app marketplace in the world, and we are constantly at work to maintain that standard and to further strengthen the App Store’s protections. In the limited instances when criminals defraud our users, we take swift action against these actors as well as to prevent similar violations in the future.”

The ability of apps to morph into something else entirely after they are approved by the App Store raises questions about the effectiveness of Apple’s review process to stop scammers. Apple wouldn’t say how often these scams appear, or how often it removes them. But it did say it removed 6,500 apps for “hidden or undocumented features” last year. Apple touts user safety as its defense against accusations from lawmakers, regulators and competitors that the company uses its monopoly over app distribution on iPhones anti-competitively.

“Apple frequently pushes myths about user privacy and security as a shield against its anti-competitive App Store practices,” said Meghan DiMuzio, executive director of the Coalition for App Fairness, which was formed to fight Apple’s power over its App Store. “The truth is, Apple’s security ‘standards’ are inconsistently applied across apps and only enforced when it benefits Apple.”

Apple acknowledged there have been other cryptocurrency scams on the App Store but wouldn’t say how many. Apple wouldn’t say whether fake Trezor apps had sneaked into the App Store in the past, or whether new apps called “Trezor” will be flagged as potentially fraudulent in the future.

Coinfirm, a U.K.-based company that specializes in cryptocurrency regulations and conducts fraud investigations, says it has received more than 7,000 inquiries about stolen crypto assets since October 2019. Fake apps in Google’s Android Play Store and Apple’s App Store are common, said Pawel Aleksander, the company’s chief information officer.

Coinfirm said five people have reported having cryptocurrency stolen by the fake Trezor app on iOS, for total losses worth $1.6 million. There have been three reports of fake Trezor apps on Android that stole a total of $600,000 in cryptocurrency
.

Apple would not name the developer of the fake Trezor app or provide the developer’s contact information. Apple wouldn’t say whether it was turning over the name to law enforcement or whether it investigated the developer further. Apple also wouldn’t say whether that developer had developed any other apps in the past or had connections to other developer accounts under different names.

“We don’t allow apps that mislead users by impersonating another app, developer or company, and when we discover an app that violates our policies, we take appropriate action,” said Google spokesperson Colin Smith.

Google said it knows of two fake Trezor apps that have appeared on the Google Play store. It removed both. It didn’t say how the Trezor apps made it onto the store. The company didn’t say whether it notified law enforcement, or how many other scam apps it has found on the store. It didn’t say whether it investigated the developers. Analytics firm App Figures was able to find eight fake Trezor apps that have appeared on the Play Store.

Of all the Internet scams, the theft of cryptocurrency is one of the most lucrative for thieves. Millions of dollars in digital currency can be pilfered in a split-second, and high-profile crypto heists have netted thieves as much as $530 million, which occurred in the Coincheck hack in 2018. In 2014, Apple banned crypto wallets on the App Store but then restored them the same year. Apple does not allow cryptocurrency mining apps, and it places extra restrictions on crypto wallet apps.

'Fortnite’ maker Epic faces uphill antitrust battle with Apple

To better secure their investments, people who own cryptocurrencies transfer their investments to “hardware wallets,” which are like USB thumb drives that store the secret and sensitive information a thief would need to steal someone’s cryptocurrency.

Hardware wallets plug into a computer via a USB connection. By typing in a PIN and sometimes an additional passphrase, the hardware wallet can be accessed and used to make transactions. If a hardware wallet is lost or destroyed, the information can be restored with a secret “seed phrase.” Some people keep the seed phrase in a safe-deposit box, hoping they’ll never have to use it, or etched on durable metal that can survive a fire. Scammers use phishing to trick people into giving up their seed phrases.

Trezor, based in the Czech Republic and owned by a company called Satoshi Labs, is a well-known maker of hardware wallets. Trezor doesn’t have a mobile app, but crypto thieves created a fake one and put it on Apple’s App Store in January and the Google Play Store in December, according to those companies, tricking some unsuspecting Trezor customers into entering their seed phrases.

Kristyna Mazankova, a spokeswoman for Trezor, said the company has been notifying Apple and Google for years about fake apps posing as a Trezor product to scam its customers. Trezor has never had a mobile app, though the company is working on one. She said the process of reporting the apps is “painful” and that representatives of Apple and Google haven’t been in contact.

Mazankova said Trezor notified Apple about a copycat app on Feb 1. Apple removed the app on Feb. 3, but it appeared again days later, according to Christodoulou, before it was removed again.

The fake Trezor app got through the app store through a bait-and-switch, according to Apple. Though it was called Trezor and used the Trezor logo and colors, it represented itself as a “cryptography” app that would encrypt iPhone files and store passwords, according to Apple. The developer of the fake Trezor app told Apple’s review team it “is not involved in any cryptocurrency.” Apple approved the app and it appeared in the App Store on Jan. 22, according to mobile analytics firm Sensor Tower.

Some time later, unbeknown to Apple, the Trezor cryptography app changed itself into a cryptocurrency wallet. Apple does not allow these sorts of changes, but Apple says it does not know when they occur. It relies on users and customers to report it when it happens, the company said.

After Trezor reported the fake app to Apple, Apple says it removed the app and banned the developer. Two days later, another fake Trezor app appeared. Apple removed that app, too. Apple did not say how it found out about the fake apps, but said it removed them because they were fraudulent.

Sensor Tower said the Trezor app was on the Apple App Store from at least Jan. 22 to Feb. 3 and appears to have been downloaded about 1,000 times. The app was downloaded about 1,000 times on Android, but Sensor Tower did not collect data on exactly when it became available.

James Fajcz, a reliability engineer at a paper company who lives in Savannah, Ga., also had his cryptocurrency stolen by the fake Trezor app, he says. In December, as he saw prices of the digital tokens rising, he purchased about $14,000 worth of Ethereum and bitcoin on Coinbase and Binance with money from his savings.

He wanted to make sure his investment was secure, so he purchased a Trezor Model T hardware wallet and downloaded an app on his iPhone called Trezor, which asked for his seed phrase. The app didn’t connect to his Trezor wallet, and he figured it didn’t work.

Weeks later, he purchased more Ethereum on Coinbase. He plugged in his Trezor device, but nothing was there. He went on the Trezor support forum on Reddit for answers. A Reddit poster informed him: There is no Trezor app. “My jaw dropped to the floor. My heart sank,” he said. “I realized what I did.”

Fajcz said he called Apple’s support line. An Apple representative said the company was not responsible, Fajcz says. “This was a trusted app on the App Store claiming to be the best and most trusted app store on any system anywhere,” he said. “And this nefarious app gets on the platform? I feel Apple should be held partially or fully responsible for that.”

Over a few years, Christodoulou had amassed 18.1 bitcoin. At the beginning of the coronavirus pandemic, each was worth about $5,500. By October, the price was starting to skyrocket, topping out at $60,000 early this year.

Christodoulou had hoped his bitcoin holdings would help save his dry-cleaning business, which was decimated during the pandemic. On Feb. 1, he wanted to be able to check his bitcoin balance using his phone, instead of a computer. So he checked the App Store, downloaded the fake Trezor app and entered his seed phrase.

Immediately afterward, he plugged his Trezor hardware wallet into his computer and logged in to check his balance. It was all gone.

That evening, Christodoulou went into the App Store again to look more closely at the reviews. Before it was removed, the Trezor app had 155 reviews on the App Store for a rating of close to five stars, according to App Figures, the analytics firm. When Christodoulou opened up the written reviews, he read complaints from other people who had been scammed in the same way. The five-star ratings that helped make the app seem legitimate must have been fake, he concluded.

Christodoulou called Apple customer support and a representative said he would escalate it to a supervisor. He said he also notified Apple and filed a report with the FBI. Lauren Hagee Glintz, an FBI spokeswoman, declined to comment on the report.

Chainalysis, a commercial blockchain analysis firm, reviewed documents provided by Fajcz and Christodoulou and confirmed that their cryptocurrency was moved from their wallets to a suspicious account. Both thefts appeared related, said Madeleine Kennedy, a spokeswoman for Chainalysis. “There’s evidence this is a substantial scam bringing in hundreds of thousands of dollars,” she said.

Only one of Christodoulou’s 18.1 bitcoin was spared because he transferred it to a bitcoin savings service called BlockFi. At the time of the theft, his 17.1 stolen bitcoin were worth $600,000, but they soon went up in value to $1 million.

Christodoulou says he’s taking medication and seeing a psychiatrist. “It broke me. I’m still not recovered from it,” he said.

He still hasn’t heard from Apple.

https://www.washingtonpost.com/technology/2021/03/30/trezor-scam-bitcoin-1-million/


....



Summary:  fake apps in google & apple app stores are stealing cryptocurrency.

Criminals trend towards targeting a path of least resistance. Browser extensions, apps in app stores, software libraries for languages like python all appear to be the most popular methods of stealing crypto atm. I think many of these attack vectors might be categorized as phishing. Where a malicious app is trusted and has vital seed, login and password data typed directly into it. Which allows criminals to hijack credentials for their own use.

This case is interesting in that I have not seen it receive much attention in terms of what approved safe methods of handling crypto are. Common rule of thumb is having sole access to private key. Not using browser wallets. But there is almost nothing said about avoiding 3rd party apps or browser plug ins which are sometimes known to be utilized to steal crypto.
Jump to: