- A user lost 17.1 Bitcoin, worth $ 600,000 at the time, to a fake Trezor app on the Apple App Store.
- To circumvent Apple’s review process, some malicious developers modify their apps after they are approved.
A malicious smartphone app on the Apple App Store that mimics the name and visual style of Trezor hardware wallets was used to steal 17.1 Bitcoin (BTC) from an unsuspecting user.—Value $ 600,000 then, and over a million dollars today.
Per a report in The Washington Post, Trezor user Phillipe Christodoulou had stored his Bitcoin on a Trezor
Although Trezor does not currently support Apple’s iOS mobile operating system and does not have a mobile app, the app used the company’s name and branding, and had a user rating of almost five stars, which made it seem reliable.
After Christodoulou downloaded the app and entered his credentials, all his crypto disappeared immediately.
“They betrayed the trust I had in them. Apple does not deserve to get away with this, “said Christodoulou.
Christodoulou is not the only person who falls victim to the scam; Georgia resident James Fajcz also told the outlet that he lost $ 14,000 in value and to the fake app.
Apps that slide through the cracks
Apple describes its store as “the world’s most trusted marketplace for apps.” Talking to Washington Post, a spokesman for Apple explained that all apps undergo a thorough review process – but acknowledged that there have been other cryptocurrency scams in the App Store. The app, which was used to scam Christodoulou, was available in the App Store from at least January 22 to February 3 and was downloaded around 1,000 times.
In this particular case, the fake Trezor app was originally presented in the “cryptography” category – as a solution for encrypting iPhone files and storing passwords – before it was changed by the developers to an encryption app. Apple told Washington Post that it had removed 6,500 apps for “hidden and undocumented features” last year, but acknowledged that it is up to users and customers to report fake apps. When Christodoulou checked the written reviews for the fake Trezor app, he read many complaints from others who had been tricked in the same way.
Apple is not the only company whose app store has hosted fake crypto wallet apps. In January this year, Trezor took over Twitter to warn users about a malicious Android app in the Google Play Store which was downloaded more than 1000 times.
“We do not allow apps that mislead users by impersonating another app, developer or company, and when we discover an app that violates our policies, we take appropriate action,” Google spokeswoman Colin Smith told Washington Post; the company noted that it had recently identified and removed two fake Trezor apps from the Google Play Store, although analytics firm App Figures reportedly identified eight fake apps in the store.
In both cases, the fraudsters used a phishing technique to persuade hardware wallet users to enter the recovery phrase – so that they could make a copy of the wallet and send the money it contained to an address of their choice. Blockchain analytics firm Chainalysis reported that Christodoulou and Fajcz’s funds had been sent to “a suspicious account.”
It goes without saying that you should never enter the wallet recovery phrase in an app – no matter how compelling it may seem at first glance.