Okay so the original creator of the app posted a legit app. What was name of app? Then they change the app to the fake trezor app? <…>
That is what the available information suggests, being the prior app in the line of one to encypt files and store passwords. I haven’t manages to find the original name of the app though.
So when the guy downloaded trezor app from the app store... it then ask for his seed and he then manually typed it in right? Then moment he did that, the coins were immediately lost?
Not exactly immediately (I doubt they have this past of the process fully automated), but very rapidly for sure. As soon as the people behind the fake app receive someone’s entered 24 word mnemonic, they’ll simply create a wallet using it, having thus access to the stored crypto, and being able to see and manage/move it at their will.
How does one protect oneself then when downloading any apps from the apple app store then?
Apple is way safer than Android, but as this case exemplifies, there is no completely certainty that an app may include some sort of malware or be a hoax, and one should try to minimize what is being installed on sensitive devices, besides making sure it's legit. In this particular case though, knowing what is feasible and what is not (Trezor asking for the mnemonic) is paramount.
I often wonder if the native operating system resources have/may, at some point, log and forward some of the data one types …