⚠️ Hackers Target Crypto Users with “Bait-and-Switch” Fake Wallet Scam

[The Cryptovator]

Do you know what a bait-and-switch strategy is? Recently have you heard about how a fake Ledger wallet stole about $9.5M from crypto users? Do you know how hackers are able to upload their software on the Apple Store? It's very important to know how they have been using the bait-and-switch strategy to upload their software or apps.

A bait-and-switch strategy is like promising something but delivering something else. Let's see how the scammer uploaded their fake ledger on the Apple Store.  However, Apple removed the fake apps from their apps store uploaded by SAS Software Company

In the past, bait-and-switch scammers on the Apple App Store have obtained approval through legitimate means before uploading fake screenshots or altering descriptions to mimic another well-known app.

That means developers first upload a fake screenshot or description or a well-known app, and the app gets approved. On the other hand, developers even upload the legimate software or apps; after approval, they update the apps, or they could change the backend from their hosting or server. That's how scammers obtained the approval for fake apps.

So you have to be careful from now about fake apps. Always make sure you are downloading something from the original website; it will redirect to the app store if there are existing apps.

Have you heard before about this strategy? Have you prepared yourself to avoid such fake software?

[Charcol]

So you have to be careful from now about fake apps. Always make sure you are downloading something from the original website; it will redirect to the app store if there are existing apps.

Have you heard before about this strategy? Have you prepared yourself to avoid such fake software?

Here are some easy ways to avoid such fake apps that many people don't notice.
We should always make sure to download from the App Store or Google Play Store. I would especially say not to download from any third party website or unofficial source. It is also necessary to confirm the app review ratings. In this case, it can be a little confusing. Because as far as I know, the reviews of scam apps are better. But the reviews of real users can sometimes be very negative. Also, using a phone security app helps in identifying suspicious apps.

[Zaguru12]

That means developers first upload a fake screenshot or description or a well-known app, and the app gets approved. On the other hand, developers even upload the legimate software or apps; after approval, they update the apps, or they could change the backend from their hosting or server. That's how scammers obtained the approval for fake apps.

So you have to be careful from now about fake apps. Always make sure you are downloading something from the original website; it will redirect to the app store if there are existing apps.

Have you heard before about this strategy? Have you prepared yourself to avoid such fake software?

In summary this leads us to one thing which is one should prioritize open source app because with it at least tech savvy people can actually get to see the edited codes. While open source softwares aren’t immune to been faked, it’s actually easy to dictate them easily than closed source and it’s a go to for every newbie trying to get apps for their hot wallets.

Also one should never ever trust anything even if the apps has high positive reviews on a store it should not be trusted because they are also manipulated.

Lastly as the usual warning, do not have large amount of bitcoin on hot wallets and never ever trust any app to sign any message or give out keys to them.

[Amphenomenon]

Not surprise that the Appstore is a target for hackers and they having more success in this. There have always been comment of individuals stating that the Appstore is more secure than the Playstore which was true but that will definitely attract attackers more because people are more relaxed when they think something is secure.

Downloading from official sites is one of the best ways to avoid this, even if the app is found on these platforms, they will redirected to the official app on the store.

[lovesmayfamilis]

Have you heard before about this strategy? Have you prepared yourself to avoid such fake software?

In fact, the fraud is as old as the world, and even Wikipedia will help you with this. On the Internet, you should not be very trusting, expecting that they will send you completely clean software from somewhere or even some kind of product, not to mention various free bonuses.

You don't even need to focus on any particular area here. You need to be prepared for everything, knowing that today's "world" will try to deceive you here and there. Skepticism and personal education, as well as a lack of trust until it is thoroughly verified that you want to download, buy, or interact with something, will help you feel safe. When working with cryptocurrencies, we must not only be our own bank but also the "police and regulator" of our own decisions.

[noorman0]

We should always make sure to download from the App Store or Google Play Store. I would especially say not to download from any third party website or unofficial source.

You need to reread the OP's case, which states that the scam app was listed on the OS app marketplace. Structurally, publishing a scam app requires approval from the app store, which can be considered a third party.

Your suggestion isn't a universal standard; there are situations where you can get a genuine app from the user manual, and that doesn't require access to the app store.

[CryptSafe]

We should always make sure to download from the App Store or Google Play Store. I would especially say not to download from any third party website or unofficial source.

You need to reread the OP's case, which states that the scam app was listed on the OS app marketplace. Structurally, publishing a scam app requires approval from the app store, which can be considered a third party.

Your suggestion isn't a universal standard; there are situations where you can get a genuine app from the user manual, and that doesn't require access to the app store.

Maybe wallet apps should endeavour to make their wallets available on their websites and also illustrate the original app for their community to know, and be able to differentiate themselves with something remarkable, to make it clear whenever we visit, so we do not download a fake wallet that would be used as a conduit for a scam.

[IjawMan]

Have you heard before about this strategy? Have you prepared yourself to avoid such fake software?

This can not be new as you made it all look but it is worth sharing for there are users who are unaware about how this scam Apps operates and how to avoid them.

The prevention method I have regularly employed while downloading any app on the App store is to first click on the review area after searching out the app I wish to download. I go through the reviews of previous users of the app, and if it is a few reviews plus if the app/software is less than a month or few months from when it was uploaded, it is a red flag for me.

The app/software upload time should be close with the time the app brand was introduced.

[bitbollo]

Once you have to use a wallet,with real coins/in a real setting its always better to make a double check and avoid to use the last wallet released.
In general it's also a good way to use only few amount for testing and other purposes....
Probably this is an approach that has been accrued on early times ... it was full of fake clones of electrum on these "app stores".
I have seen the first version only few years ago...and immediately removed

[Cookdata]

Downloading from official sites is one of the best ways to avoid this, even if the app is found on these platforms, they will redirected to the official app on the store.

The thing is ledgerlive is supported for phone and for PC, the reason is there are many version of Ledger hardware wallet that supports connection Bluetooth and USB. Most common connections you see on pc is USB cable and Bluetooth but you can make connection with phone as well with Ledgerlive app through Bluetooth or OTG for android phones, this is why you get redirected to app store and play store if you use mobile phone.

The PC version are there to download too but I assumed Mac users think every app on Mac app store is considered to be better and safe, that's why they downloaded from the store directly only to end up with fake one.

Maybe wallet apps should endeavour to make their wallets available on their websites and also illustrate the original app for their community to know, and be able to differentiate themselves with something remarkable, to make it clear whenever we visit, so we do not download a fake wallet that would be used as a conduit for a scam.

The apps are there on the website and also on the Github page.

There is no better way to differentiate original and fake app with UI, scammers are going to clone another version of the original if possible.
 The best ways to prove a software hasn't been tampered is to provide signature for users to verify before they install on their device.

[Mia Chloe]

~snip

A lot of people are barely safe then.. app stores can't be trusted real and official sites can be duplicated and loaded with same rigged and modded apps.... These days people are just lucky most times. It's easy to say the first result from Google search is authentic but that too can be rigged by same Google ads.

Like I said there are barely people that can even verify wallet authenticity and it's one of the reasons more people are using custodial wallets that are popular.

[HeatBit]

So it's not like those app stores are not doing their jobs right, this m*****fckers have found a way to bypass that security check? I'm guessing since this is already all out in the open now it's way better than when they don't know.

Still it's a good practice to get used to downloading from official sources than appstores, these hackers aren't playing around, they will always come up with some fresh to deceive even the impossible to deceive.

[Amphenomenon]

Downloading from official sites is one of the best ways to avoid this, even if the app is found on these platforms, they will redirected to the official app on the store.

The thing is ledgerlive is supported for phone and for PC, the reason is there are many version of Ledger hardware wallet that supports connection Bluetooth and USB. Most common connections you see on pc is USB cable and Bluetooth but you can make connection with phone as well with Ledgerlive app through Bluetooth or OTG for android phones, this is why you get redirected to app store and play store if you use mobile phone.

The PC version are there to download too but I assumed Mac users think every app on Mac app store is considered to be better and safe, that's why they downloaded from the store directly only to end up with fake one.

What we are saying is almost the same, people are less cautious while on Appstore and then hackers has used this cause harm after finding exploits to push their apps there.

Redirection from the official site to Appstore is not bad since you ate just being redirected to the official app there.

[avp2306]

Downloading from official sites is one of the best ways to avoid this, even if the app is found on these platforms, they will redirected to the official app on the store.

The thing is ledgerlive is supported for phone and for PC, the reason is there are many version of Ledger hardware wallet that supports connection Bluetooth and USB. Most common connections you see on pc is USB cable and Bluetooth but you can make connection with phone as well with Ledgerlive app through Bluetooth or OTG for android phones, this is why you get redirected to app store and play store if you use mobile phone.

The PC version are there to download too but I assumed Mac users think every app on Mac app store is considered to be better and safe, that's why they downloaded from the store directly only to end up with fake one.

What we are saying is almost the same, people are less cautious while on Appstore and then hackers has used this cause harm after finding exploits to push their apps there.

Redirection from the official site to Appstore is not bad since you ate just being redirected to the official app there.

Yes because what common people do is they don't pay much attention to verify what they are trying to download. Usually the common scene happened is they download the apps when they see the result and saw the logo of the apps they need to download. Doing that is so risky because chances that those fake apps like OP mentioned will compromise them.

That's one of the few reason why I don't download download wallet apps on Appstore or even on Google playstore, since this fake apps is the one I'm trying to avoid. I usually go on official sites then download their apps to make sure the one I download is legit and not the fake one.

[rat03gopoh]

So it's not like those app stores are not doing their jobs right, this m*****fckers have found a way to bypass that security check? I'm guessing since this is already all out in the open now it's way better than when they don't know.

This isn't an uncommon case; if you search for cloned apps in app stores today, you'll likely find 10 in the first 5 minutes.
App store vetting measures have been too lax for a long time, even in this era where AI should be their go-to tool for more rapid vetting of app developers' embedded code.

[uchegod-21]

Do you know what a bait-and-switch strategy is? Recently have you heard about how a fake Ledger wallet stole about $9.5M from crypto users?

I have not heard. But why these much amount of money. People are crazy rich o

Do you know how hackers are able to upload their software on the Apple Store? It's very important to know how they have been using the bait-and-switch strategy to upload their software or apps.

I don't know, please enlighten me.

A bait-and-switch strategy is like promising something but delivering something else...

...That means developers first upload a fake screenshot or description or a well-known app, and the app gets approved. On the other hand, developers even upload the legimate software or apps; after approval, they update the apps, or they could change the backend from their hosting or server. That's how scammers obtained the approval for fake apps.

This is fearfully dangerous. How come I haven't heard about this strategy for long. And this method doesn't sound new at all.
How are they able to do this. I think if there are any changes from the backend and pushed into the GitHub repo, for anyone to use that version, they need to update it from apple store or play store. Does it mean that if someone is not updating, they could be safe here.

So you have to be careful from now about fake apps. Always make sure you are downloading something from the original website; it will redirect to the app store if there are existing apps.

Yes o, that is the right thing to do. Not only downloading, but also during updating.

Have you heard before about this strategy? Have you prepared yourself to avoid such fake software?

I haven't heard, but now I am aware and I am going to spread the awareness.

[UchihaSarada]

Have you heard before about this strategy?

I have never heard of this strategy.

Have you prepared yourself to avoid such fake software?

I prevent this happening to me by always visit official websites, and get download links from there. It's with big companies, famous products from them, and I am surely more skeptical and careful with any new launched companies, applications that very likely I don't mind to visit their sites or download their applications.

People can more easily be exposed to fake applications if they rely on searching on Google and other search engines. Somehow Google allows scammers to shill their scam, phishing websites and fake applications on top of Google search results.

It's not about the method used in your warning but generally people can avoid many scams by learning from this cryptocurrency scambook, especially the part for phishing scams.

[FinneysTrueVision]

Some months ago, there was a post from a user recounting how they lost their funds through a fake Electrum app they downloaded from the App Store. In the app’s description they were claiming to be a PDF converter, and that may have been the purpose of their original app that was approved by Apple before replacing it with something malicious.

That fake Electrum app is no longer in the App Store, but I just searched for “electrum” and found a different fake app that is likely from that same developer. The fake app has a similar app icon as Electrum, but the screenshots and description make it appear that it is an expiration date tracker. Their strategy is to pretend to be something benign to get approval and then switching it with malware.

[jcojci]

I read the news but can't thinks how that can happens as Apple is strictly monitoring their apps before release in their store.

If they change the update of the app, that is soo tricky as they can gives false update to their customers. Customers will thinks that the update is real from the developer so they will download without checking.

I think that is old trick the hackers use to get what customers have. It is our responsibility to always careful and double check the source. Make sure that we download in the real site.

[joniboini]

If they change the update of the app, that is soo tricky as they can gives false update to their customers. Customers will thinks that the update is real from the developer so they will download without checking.

I mean, would that even matter for them? Scammers target our money; they obviously won't care if someone protests that their update is a fake one or something else. As mentioned above, some even went so far as to publish something different from the version they sent to Apple for verification. Even if Apple uses AI or something else to verify the code, I'm not sure that'll be a good solution since it means spending a lot of resources verifying each update, and legit developers might even think those can be abused since Apple might collect their data for something else. CMIIW.

Just make sure you double-check and verify everything before you download new apps. If developers don't offer a way to do that, then just avoid it or use something else.