In brief
- A user lost 17.1 Bitcoin, worth $600,000 at the time, to a fake Trezor app on Apple’s App Store.
- To bypass Apple’s review process, some malicious developers are modifying their apps after they’ve been approved.
A malicious smartphone app on Apple’s App Store, mimicking the name and visual style of Trezor hardware wallets, was used to steal 17.1 Bitcoin (BTC) from an unsuspecting user—worth $600,000 at the time, and over a million dollars today.
Per a report in The Washington Post, Trezor user Phillipe Christodoulou had stored his Bitcoin on a Trezor hardware wallet, and—wanting to check his balance—downloaded an app purporting to be from Trezor on the iOS App Store.
Although Trezor does not currently support Apple’s iOS mobile operating system and does not have a mobile app, the app used the company’s name and branding, and had a user rating of nearly five stars—making it appear trustworthy.
After Christodoulou downloaded the app and entered his credentials, all of his crypto immediately disappeared.
“They betrayed the trust that I had in them. Apple doesn’t deserve to get away with this,” Christodoulou said.
Christodoulou isn’t the only person to fall victim to the scam; Georgia resident James Fajcz also told the outlet that he lost $14,000 worth of Bitcoin and Ethereum to the fake app.
Apps slipping through the cracks
Apple touts its store as “the world’s most trusted marketplace for apps.” Speaking to the Washington Post, a spokesperson for Apple explained that all apps undergo a rigorous review process—but acknowledged that there have been other cryptocurrency scams on the App Store. The app that was used to scam Christodoulou was available on the App Store from at least January 22 to February 3 and was downloaded around 1,000 times.
In this specific instance, the fake Trezor app was initially presented in the “cryptography” category—as a solution for encrypting iPhone files and storing passwords—before it was changed by the developers into a crypto wallet app. Apple told the Washington Post that it had removed 6,500 apps for “hidden and undocumented features” last year, but acknowledged that it relies on users and customers to report fake apps. When Christodoulou checked the written reviews for the fake Trezor app, he read numerous complaints from others who had been scammed in the same way.
Apple isn’t the only company whose app store has played host to fake crypto wallet apps. In January this year, Trezor took to Twitter to warn users of a malicious Android app in the Google Play Store that had been downloaded more than 1,000 times.
“We don’t allow apps that mislead users by impersonating another app, developer or company, and when we discover an app that violates our policies, we take appropriate action,” Google spokesperson Colin Smith told the Washington Post; the company noted that it had recently identified and removed two fake Trezor apps from the Google Play Store, though analytics firm App Figures reportedly identified eight fake apps on the store.
In both cases, the scammers used a phishing technique to convince hardware wallet users to enter their recovery phrase—enabling them to create a copy of the wallet and send the funds it contained to an address of their choice. Blockchain analytics firm Chainalysis reported that Christodoulou and Fajcz’s funds had been sent to “a suspicious account.”
It goes without saying that you should never enter your wallet recovery phrase into an app—however convincing it might look at first glance.