Recent scams show there are holes in Apple’s safety netMarch 30, 2021
Phillipe Christodoulou wanted to check his bitcoin balance last month, so he searched the App Store on his iPhone for “Trezor,” the maker of a small hardware device he uses to store his cryptocurrency. Up popped the company’s padlock logo set against a bright green background. The app was rated close to five stars. He downloaded it and typed in his credentials.
In less than a second, nearly all of his life savings — 17.1 bitcoin worth $600,000 at the time — was gone. The app was a fake, designed to trick people into thinking it was a legitimate app.
But Christodoulou is angrier at Apple than at the thieves themselves: He says Apple marketed the App Store as a safe and trusted place, where each app is reviewed before it is allowed in the store.
Christodoulou, once a loyal Apple customer, said he no longer admires the company. “They betrayed the trust that I had in them,” he said in an interview. “Apple doesn’t deserve to get away with this.”
Apple bills its App Store as “the world’s most trusted marketplace for apps,” where every submission is scanned and reviewed, ensuring they are safe, secure, useful and unique. But in fact, it’s easy for scammers to circumvent Apple’s rules, according to experts. Criminal app developers can break Apple’s rules by submitting seemingly innocuous apps for approval and then transforming them into phishing apps that trick people into giving up their information, according to Apple. When Apple finds out, it removes the apps and bans the developers, the company says. But it’s too late for the people who fell for the scam.
Crypto scams are also common on Google’s Android and on the Web. But their presence on the Apple App Store is more surprising because Apple says it curates the store and checks each app, which creates high levels of consumer trust. The 15 to 30 percent commission Apple collects on all sales on the App Store goes to fund the “highly curated” customer experience, the company has said.
“User trust is at the foundation of why we created the App Store, and we have only deepened that commitment in the years since,” said Apple spokesperson Fred Sainz. “Study after study has shown that the App Store is the most secure app marketplace in the world, and we are constantly at work to maintain that standard and to further strengthen the App Store’s protections. In the limited instances when criminals defraud our users, we take swift action against these actors as well as to prevent similar violations in the future.”
The ability of apps to morph into something else entirely after they are approved by the App Store raises questions about the effectiveness of Apple’s review process to stop scammers. Apple wouldn’t say how often these scams appear, or how often it removes them. But it did say it removed 6,500 apps for “hidden or undocumented features” last year. Apple touts user safety as its defense against accusations from lawmakers, regulators and competitors that the company uses its monopoly over app distribution on iPhones anti-competitively.
“Apple frequently pushes myths about user privacy and security as a shield against its anti-competitive App Store practices,” said Meghan DiMuzio, executive director of the Coalition for App Fairness, which was formed to fight Apple’s power over its App Store. “The truth is, Apple’s security ‘standards’ are inconsistently applied across apps and only enforced when it benefits Apple.”
Apple acknowledged there have been other cryptocurrency scams on the App Store but wouldn’t say how many. Apple wouldn’t say whether fake Trezor apps had sneaked into the App Store in the past, or whether new apps called “Trezor” will be flagged as potentially fraudulent in the future.
Coinfirm, a U.K.-based company that specializes in cryptocurrency regulations and conducts fraud investigations, says it has received more than 7,000 inquiries about stolen crypto assets since October 2019. Fake apps in Google’s Android Play Store and Apple’s App Store are common, said Pawel Aleksander, the company’s chief information officer.
Coinfirm said five people have reported having cryptocurrency stolen by the fake Trezor app on iOS, for total losses worth $1.6 million. There have been three reports of fake Trezor apps on Android that stole a total of $600,000 in cryptocurrency.
Apple would not name the developer of the fake Trezor app or provide the developer’s contact information. Apple wouldn’t say whether it was turning over the name to law enforcement or whether it investigated the developer further. Apple also wouldn’t say whether that developer had developed any other apps in the past or had connections to other developer accounts under different names.
“We don’t allow apps that mislead users by impersonating another app, developer or company, and when we discover an app that violates our policies, we take appropriate action,” said Google spokesperson Colin Smith.
Google said it knows of two fake Trezor apps that have appeared on the Google Play store. It removed both. It didn’t say how the Trezor apps made it onto the store. The company didn’t say whether it notified law enforcement, or how many other scam apps it has found on the store. It didn’t say whether it investigated the developers. Analytics firm App Figures was able to find eight fake Trezor apps that have appeared on the Play Store.
Of all the Internet scams, the theft of cryptocurrency is one of the most lucrative for thieves. Millions of dollars in digital currency can be pilfered in a split-second, and high-profile crypto heists have netted thieves as much as $530 million, which occurred in the Coincheck hack in 2018. In 2014, Apple banned crypto wallets on the App Store but then restored them the same year. Apple does not allow cryptocurrency mining apps, and it places extra restrictions on crypto wallet apps.
'Fortnite’ maker Epic faces uphill antitrust battle with Apple
To better secure their investments, people who own cryptocurrencies transfer their investments to “hardware wallets,” which are like USB thumb drives that store the secret and sensitive information a thief would need to steal someone’s cryptocurrency.
Hardware wallets plug into a computer via a USB connection. By typing in a PIN and sometimes an additional passphrase, the hardware wallet can be accessed and used to make transactions. If a hardware wallet is lost or destroyed, the information can be restored with a secret “seed phrase.” Some people keep the seed phrase in a safe-deposit box, hoping they’ll never have to use it, or etched on durable metal that can survive a fire. Scammers use phishing to trick people into giving up their seed phrases.
Trezor, based in the Czech Republic and owned by a company called Satoshi Labs, is a well-known maker of hardware wallets. Trezor doesn’t have a mobile app, but crypto thieves created a fake one and put it on Apple’s App Store in January and the Google Play Store in December, according to those companies, tricking some unsuspecting Trezor customers into entering their seed phrases.
Kristyna Mazankova, a spokeswoman for Trezor, said the company has been notifying Apple and Google for years about fake apps posing as a Trezor product to scam its customers. Trezor has never had a mobile app, though the company is working on one. She said the process of reporting the apps is “painful” and that representatives of Apple and Google haven’t been in contact.
Mazankova said Trezor notified Apple about a copycat app on Feb 1. Apple removed the app on Feb. 3, but it appeared again days later, according to Christodoulou, before it was removed again.
The fake Trezor app got through the app store through a bait-and-switch, according to Apple. Though it was called Trezor and used the Trezor logo and colors, it represented itself as a “cryptography” app that would encrypt iPhone files and store passwords, according to Apple. The developer of the fake Trezor app told Apple’s review team it “is not involved in any cryptocurrency.” Apple approved the app and it appeared in the App Store on Jan. 22, according to mobile analytics firm Sensor Tower.
Some time later, unbeknown to Apple, the Trezor cryptography app changed itself into a cryptocurrency wallet. Apple does not allow these sorts of changes, but Apple says it does not know when they occur. It relies on users and customers to report it when it happens, the company said.
After Trezor reported the fake app to Apple, Apple says it removed the app and banned the developer. Two days later, another fake Trezor app appeared. Apple removed that app, too. Apple did not say how it found out about the fake apps, but said it removed them because they were fraudulent.
Sensor Tower said the Trezor app was on the Apple App Store from at least Jan. 22 to Feb. 3 and appears to have been downloaded about 1,000 times. The app was downloaded about 1,000 times on Android, but Sensor Tower did not collect data on exactly when it became available.
James Fajcz, a reliability engineer at a paper company who lives in Savannah, Ga., also had his cryptocurrency stolen by the fake Trezor app, he says. In December, as he saw prices of the digital tokens rising, he purchased about $14,000 worth of Ethereum and bitcoin on Coinbase and Binance with money from his savings.
He wanted to make sure his investment was secure, so he purchased a Trezor Model T hardware wallet and downloaded an app on his iPhone called Trezor, which asked for his seed phrase. The app didn’t connect to his Trezor wallet, and he figured it didn’t work.
Weeks later, he purchased more Ethereum on Coinbase. He plugged in his Trezor device, but nothing was there. He went on the Trezor support forum on Reddit for answers. A Reddit poster informed him: There is no Trezor app. “My jaw dropped to the floor. My heart sank,” he said. “I realized what I did.”
Fajcz said he called Apple’s support line. An Apple representative said the company was not responsible, Fajcz says. “This was a trusted app on the App Store claiming to be the best and most trusted app store on any system anywhere,” he said. “And this nefarious app gets on the platform? I feel Apple should be held partially or fully responsible for that.”
Over a few years, Christodoulou had amassed 18.1 bitcoin. At the beginning of the coronavirus pandemic, each was worth about $5,500. By October, the price was starting to skyrocket, topping out at $60,000 early this year.
Christodoulou had hoped his bitcoin holdings would help save his dry-cleaning business, which was decimated during the pandemic. On Feb. 1, he wanted to be able to check his bitcoin balance using his phone, instead of a computer. So he checked the App Store, downloaded the fake Trezor app and entered his seed phrase.
Immediately afterward, he plugged his Trezor hardware wallet into his computer and logged in to check his balance. It was all gone.
That evening, Christodoulou went into the App Store again to look more closely at the reviews. Before it was removed, the Trezor app had 155 reviews on the App Store for a rating of close to five stars, according to App Figures, the analytics firm. When Christodoulou opened up the written reviews, he read complaints from other people who had been scammed in the same way. The five-star ratings that helped make the app seem legitimate must have been fake, he concluded.
Christodoulou called Apple customer support and a representative said he would escalate it to a supervisor. He said he also notified Apple and filed a report with the FBI. Lauren Hagee Glintz, an FBI spokeswoman, declined to comment on the report.
Chainalysis, a commercial blockchain analysis firm, reviewed documents provided by Fajcz and Christodoulou and confirmed that their cryptocurrency was moved from their wallets to a suspicious account. Both thefts appeared related, said Madeleine Kennedy, a spokeswoman for Chainalysis. “There’s evidence this is a substantial scam bringing in hundreds of thousands of dollars,” she said.
Only one of Christodoulou’s 18.1 bitcoin was spared because he transferred it to a bitcoin savings service called BlockFi. At the time of the theft, his 17.1 stolen bitcoin were worth $600,000, but they soon went up in value to $1 million.
Christodoulou says he’s taking medication and seeing a psychiatrist. “It broke me. I’m still not recovered from it,” he said.
He still hasn’t heard from Apple.
https://www.washingtonpost.com/technology/2021/03/30/trezor-scam-bitcoin-1-million/ ....
: fake apps in google & apple app stores are stealing cryptocurrency.
Criminals trend towards targeting a path of least resistance. Browser extensions, apps in app stores, software libraries for languages like python all appear to be the most popular methods of stealing crypto atm. I think many of these attack vectors might be categorized as phishing. Where a malicious app is trusted and has vital seed, login and password data typed directly into it. Which allows criminals to hijack credentials for their own use.
This case is interesting in that I have not seen it receive much attention in terms of what approved safe methods of handling crypto are. Common rule of thumb is having sole access to private key. Not using browser wallets. But there is almost nothing said about avoiding 3rd party apps or browser plug ins which are sometimes known to be utilized to steal crypto.
