In February this year, Phillipe Christodoulou wanted to check his bitcoin balance. He used his iPhone to search for ‘Trezor’ on the App Store. Trezor is the manufacturer of the small hardware device he uses to store his crypto. The company’s padlock logo popped as usual and it was rated close to five stars.
He believed that Apple’s App Store was safe and downloaded the app and typed in his credentials. Within a few seconds, almost all of his life savings, 17.1 bitcoin worth $600,000, were stolen. This app was a fake and it was designed to trick people into believing that it was legitimate.
Nonetheless, Christodoulou is angrier at Apple than at the criminals who stole his BTC. He insisted that Apple marketed the App Store as a trusted and safe place where every app is reviewed before it is added to the store. He did not expect that crypto scams would wipe out his funds through an app from the App Store.
Christodoulou said that he no longer admires Apple yet he was previously a loyal customer. He said:
“They betrayed the trust that I had in them. Apple doesn’t deserve to get away with this.”
Apple insists that it is “the world’s most trusted marketplace for apps.” According to the company, every submission is scanned and reviewed, guaranteeing that they are secure, safe, unique, and useful.
How The Criminals Operate
Analysis shows that it has now become easy for cybercriminals and scammers to circumvent Apple’s rules. Illegal app developers can break Apple’s rules by submitting what appears to be safe apps for approval. Then, they transform these apps into phishing apps that dupe users into giving up personal and confidential information.
Whenever Apple discovers such apps, it removes them and then bans the developers. However, it is always too late for anyone who falls for these unscrupulous criminals like in this case Christodoulou fell for one of such scams.
Crypto scams are also common on the Web and on Google’s Android. However, their presence on the Apple App Store is quite surprising since Apple insists that it curates the entire store and reviews every app, in turn, creating high levels of consumer trust.
The 15% to 30% commission that Apple collects on all the sales on the App Store funds ‘highly curated’ customer experience. Apple spokesperson Fred Sainz explained:
“User trust is at the foundation of why we created the App Store, and we have only deepened that commitment in the years since. Study after study has shown that the App Store is the most secure app marketplace in the world, and we are constantly at work to maintain that standard and to further strengthen the App Store’s protections. In the limited instances when criminals defraud our users, we take swift action against these actors as well as to prevent similar violations in the future.”
The ability of the apps to change into something else after they get approval increases the worries over the effectiveness of Apple’s review process to detect and stop scammers before they strike. Apple has yet to say how often such scam cases appear or how often it deletes them from its platform.
However, it said that it banned 6,500 apps for “hidden or undocumented features” in 2021. Apple insists that it has top-notch user safety which it uses in defense against accusations from legislators, regulators, and competitors that the firm uses monopoly to distribute mobile applications on iPhones anti-competitively.
The executive director of the Coalition for App Fairness, Meghan DiMuzio, said:
“Apple frequently pushes myths about user privacy and security as a shield against its anti-competitive App Store practices. The truth is, Apple’s security ‘standards’ are inconsistently applied across apps and only enforced when it benefits Apple.”
Coalition for App Fairness is an organization that was formed to fight Apple’s power over its App Store.
Apple And Google Agree That Such Scams Exist
On its part, Apple agreed that there have been other crypto scams on the App Store previously but would not say how many. The iPhone maker did not comment on whether fake Trezor apps have sneaked into the App Store in the past, or whether new apps going by the name ‘Trezor’ will get flagged as possibly fraudulent in the future.
A UK-based firm that specializes in crypto regulations and conducts many fraud investigations, Coinfirm, said that it has got at least 7,000 inquiries about stolen crypto assets since October 2019. The company’s chief information officer, Pawel Aleksander, said that fake apps in Apple’s App Store and Google’s Android Play Store are common.
Coinfirm mentioned that five people have already reported having crypto stolen by the fake Trezor app on iOS. Cumulatively, users have already lost $1.6 million to this fake app. There have also been three reports of fake Trezor apps on Android that stole up to $600,000 in crypto.
Apple avoided naming the developer of the fake Trezor app or offer the developer’s contact details. the company also did not say whether it was turning over the name to law enforcement or whether it managed to investigate the developer further. Moreover, Apple did not say whether the developer had developed any other apps in the past or had any connections to other developer accounts under pseudo names.
In that context, Google spokesperson Colin Smith said:
“We don’t allow apps that mislead users by impersonating another app, developer or company, and when we discover an app that violates our policies, we take appropriate action.”
Google acknowledged that it knows about two fake Trezor apps that went live on the Google Play store. It deleted both of these apps before they could steal from unsuspecting users. What Google did not say is how the Trezor apps made it onto the store.
The Search Engine company did not mention whether it notified law enforcement, or how many other scam apps have made their way into the store. No information was provided on whether the criminal developers were investigated. App Figures analytics firm found eight fake Trezor apps that have already appeared on the Play Store.
Crypto Theft Lucrative For The Cybercriminals
The theft of crypto is one of the most lucrative among all Internet scams. Millions of dollars in virtual currency can be stolen instantly, and the high-profile crypto heists have netted criminals up to $530 million, which happened in the Coincheck hack in 2018.
Apple banned cryptocurrency wallets on the App Store in 2014 but then restored them the same year. The company does not allow crypto mining apps, and it places more restrictions on crypto wallet apps.
To secure their investments better, people that own cryptos transfer their investments to “hardware wallets.” Such wallets include the USB thumb drives that store the secret and sensitive information a thief might need to steal crypto.
Hardware wallets plug into a computer using a USB connection. Users need to type in a PIN and sometimes a passphrase to access the hardware wallet and make transactions. In the scenario that a hardware wallet is lost or destroyed, the content and information can be restored using a secret ‘seed phrase.’
Some users store the seed phrase in a safe deposit box, hoping that they will never have to use it, or etched on durable metal that can survive a fire. The scammers use phishing to trick users into giving up their seed phrases. Trezor is based in the Czech Republic and it is owned by a firm known as Satoshi Labs.
Trezor Speaks Out
Trezor is a well-known maker of hardware wallets. It does not have a mobile app but crypto thieves have created fake ones and put them on Apple’s App Store in January and the Google Play Store in December. The cybercriminals have managed to trick some unsuspecting Trezor users into providing their seed phrases.
A Trezor spokeswoman, Kristyna Mazankova, mentioned that the firm has been contacting Google and Apple for years telling them about the fake apps posing as a Trezor product to scam its users. Trezor does not have a mobile app but it is working on one. The process of reporting fake apps is ‘painful’ and the Apple and Google representatives have not been in contact with the hardware wallet manufacturer.
On February 1, Mazankova said Trezor notified Apple about the fake app. Apple removed this app on February 3. However, the app reappeared days later as highlighted by Christodoulou before it was removed from the store again.
The fake Trezor application appears to have got through the app store via a bait-and-switch, according to Apple. Although it was known as Trezor and used the Trezor logo and color themes, it presented itself as a “cryptography” app. It was designed to encrypt iPhone files and store passwords, as explained by Apple.
Developers of the fake app told reviewers that it “is not involved in any cryptocurrency.” Apple approved this app and it went live in the App Store on January 22, based on mobile analytics firm Sensor Tower.
This Trezor cryptography app sometime later changed itself into a crypto wallet. Apple prohibits such changes but it does not know when they occur. It mainly relies on clients and users to report it when such incidents happen.
The Fake Apps Steal From Unsuspecting Victims
Apple said that it removed the fake app and banned the developer after Trezor reported it. But, another fake Trezor app appeared some two days later and Apple removed it too. The company did not say how it discovered the fake apps but said it deleted them from the App Store since they were fraudulent.
According to Sensor Tower, the Trezor app was on the Apple App Store from January 22 to February 3 and seems to have been downloaded over 1,000 times. Also, the app was downloaded nearly 1,000 times on Android, although it is not yet clear when it became available.
A reliability engineer at a paper company based in Savannah, Ga., James Fajcz, also said that he had his crypto stolen by the same fake Trezor app. In December 2021, he acquired $14,000 worth of ETH and BTC on Coinbase and Binance with some of his savings.
He wanted to secure his investment. He decided to buy a Trezor Model T hardware wallet and then downloaded a Trezor app on his iPhone. The app asked for his seed phrase but it did not connect to his Trezor wallet and he thought that it did not work.
Some weeks later, he acquired more ETH from Coinbase but found nothing when he plugged in his Trezor device. He then went on the Trezor support forum on Reddit looking for answers. He was informed that there is no Trezor app and he realized that he had been conned.
Fajcz contacted Apple but a company representative said that the iPhone maker was not responsible. He said:
“This was a trusted app on the App Store claiming to be the best and most trusted app store on any system anywhere. And this nefarious app gets on the platform? I feel Apple should be held partially or fully responsible for that.”
Christodoulou had amassed 18.1 bitcoin over the years. At the start of the pandemic, each coin was worth around $5,500. By October, the price started to explode, surpassing $60,000 earlier this year. Christodoulou hoped his bitcoin holdings would help save his dry-cleaning business that was beaten by the pandemic.
On February 1, he wanted to check his BTC balance using his phone, instead of a computer or other devices. He checked the App Store and downloaded the fake Trezor app and entered his seed phrase. He then plugged his Trezor hardware wallet into his computer to check his balance and it was all gone.
Christodoulou decided to look at the reviews in the App Store. Before it was removed from the store, the Trezor app had 155 reviews with a rating of almost five stars, according to App Figures. When he opened the written reviews, he discovered complaints from other victims that were scammed similarly. The 5-star ratings that helped in making this app appear legitimate must have all been fake.
Christodoulou notified Apple about the incident and filed a report with the FBI. An FBI spokeswoman, Lauren Hagee Glintz, declined to comment on the matter.
Chainalysis commercial blockchain firm reviewed most of the documents provided by Christodoulou and Fajcz. The team confirmed that the crypto was moved from the victims’ wallets to suspicious accounts. A spokeswoman for Chainalysis, Madeleine Kennedy, said that both of these thefts appeared related. She said:
“There’s evidence this is a substantial scam bringing in hundreds of thousands of dollars.”
Only one of Christodoulou’s 18.1 BTCs survived since he had moved it to a BlockFi savings service. At the time of that theft, 17.1 bitcoins were worth $600,000, but the value went up to $1 million later as the bull market continued.
Christodoulou has not yet heard from Apple till now.