Crypto tricksters setting up fake apps

Phillipe Christodoulou wanted to check his bitcoin balance last month, so he searched the App Store on his iPhone for “Trezor,” the maker of a small hardware device he uses to store his cryptocurrency. Up popped the company’s padlock logo set against a bright green background. The app was rated close to five stars. He downloaded it and typed in his credentials.

In less than a second, nearly all of his life savings — 17.1 bitcoin worth $600,000 at the time — was gone. The app was a fake, designed to trick people into thinking it was a legitimate app.

But Christodoulou is angrier at Apple than at the thieves themselves: He says Apple marketed the App Store as a safe and trusted place, where each app is reviewed before it is allowed in the store.

Christodoulou, once a loyal Apple customer, said he no longer admires the company. “They betrayed the trust that I had in them,” he said in an interview. “Apple doesn’t deserve to get away with this.”

Apple bills its App Store as “the world’s most trusted marketplace for apps,” where every submission is scanned and reviewed, ensuring they are safe, secure, useful and unique. But in fact, it’s easy for scammers to circumvent Apple’s rules, according to experts.

Criminal app developers can break Apple’s rules by submitting seemingly innocuous apps for approval. Once they’re in the store, scammers can simply transform the apps into what amount to phishing apps that trick people into giving up their information, until Apple finds out and removes the app, according to Apple.

Crypto scams are also common on Google’s Android and on the Web. But their presence on the Apple App Store is more surprising because Apple says it curates the store and checks each app, which creates high levels of consumer trust. The 15% to 30% commission Apple collects on all sales on the App Store goes to fund the “highly curated” customer experience, the company has said.

“User trust is at the foundation of why we created the App Store, and we have only deepened that commitment in the years since,” said Apple spokesperson Fred Sainz. “Study after study has shown that the App Store is the most secure app marketplace in the world, and we are constantly at work to maintain that standard and to further strengthen the App Store’s protections. In the limited instances when criminals defraud our users, we take swift action against these actors as well as to prevent similar violations in the future.”

The ability of apps to morph into something else entirely after they are approved by the App Store raises questions about the effectiveness of Apple’s review process to stop scammers. Apple wouldn’t say how often these scams appear, or how often it removes them. But it did say it removed 6,500 apps for “hidden or undocumented features” last year.

Apple acknowledged that there have been other cryptocurrency scams on the App Store but wouldn’t say how many. Apple wouldn’t say why, when fake Trezor apps had sneaked into the App Store in the past, new apps called “Trezor” were not flagged as potentially fraudulent.

Coinfirm, a U.K. company that specializes in cryptocurrency regulations and conducts fraud investigations, says it has received more than 7,000 inquiries about stolen crypto assets since October 2019. Fake apps in Google’s Android Play Store and Apple’s App Store are common, said Pawel Aleksander, the company’s chief information officer.

Coinfirm said five people have reported having cryptocurrency stolen by the fake Trezor app on iOS, for total losses worth $1.6 million. There have been three reports of fake Trezor apps on Android that stole a total of $600,000 in cryptocurrency.

Apple would not name the developer of the fake Trezor app or provide the developer’s contact information. Apple wouldn’t say whether it was turning over the name to law enforcement agencies or whether it investigated the developer further. Apple also wouldn’t say whether that developer had developed any other apps in the past or had connections to other developer accounts under different names.

Google didn’t say how the Trezor app made it onto the Google Play store. It said it knows of two fake Trezor apps that have appeared on the store. It removed both. The company didn’t say whether it notified law enforcement agencies, or how many other scam apps it has found on the store.

Of all the internet scams, the theft of cryptocurrency is one of the most lucrative for thieves. Millions of dollars in digital currency can be pilfered in a split-second, and high-profile crypto heists have netted thieves as much as $530 million, which occurred in the Coincheck hack in 2018.