iPhone Bitcoin App Steals Over $2 Million

image credit: SatoshiLabs

published by Chad Evans
April 4, 2021 at 3:49p.m.
  • A fake app masquerading as Trezor, distributed in the App Store, robbed over $2 million from Apple Customers.
  • The highly-rated fraudulent app passed all of Apple’s security checks, appearing as a legitimate download in the App Store.
  • Apple hasn’t refunded any of its customers’ money, instead stating that its App Store is highly secure.

What is Trezor?

Trezor is a legitimate cryptocurrency wallet. It’s not just an app; it’s a physical device. Essentially, it offers secure, offline storage for Bitcoin and other cryptocurrencies. Users simply plug their Trezor device into an iPhone, and the app allows them to conduct transactions and view portfolio information.

Recommended by social media billionaires and countless publications, Trezor has a solid reputation for reliability and security. Although some fault rests on the developers’ shoulders, few would imagine a completely counterfeit app making its way into the App Store. A bogus app didn’t cheat Android users out of their life savings. This was an Apple-exclusive.

The whole point of Trezor is to secure cryptocurrency in a portable device rather than let it reside on a smartphone, computer, or PC, where it can be more easily compromised. For the sake of convenience, Trezor is smaller and more portable than most real wallets. The actual cryptocurrency resides on the fob, and, in an ideal scenario, only Trezor’s app and trusted partners have access to the data.

Companies like Trezor rely on the App Store and Google Play to ensure that end-users don’t install deleterious software. Unfortunately, Apple dropped the ball, allowing a malicious, fake Trezor app into the App Store.

How Did A Fake App Get Approved by Apple?

Malicious actors circumvented App Store security by first submitting a harmless app. After passing the initial review, they added additional black hat functionality, gradually transforming a safe and trusted app into malware.

Apple is aware of the issue, and this isn’t the first time it has occurred. After an app is submitted and approved, it isn’t re-assessed for security issues with every update. Apple only bans the app if it resorts to some black hat activity, such as phishing.

The Cupertino tech giant relies on customer reports to find malicious apps. In this case, by the time users reported the issue to Apple, it was too late. The cybercriminals behind the fake Trezor app already made off with victims’ funds, and in one case, a man’s entire life savings.

Apple’s Response to Customers’ Loss Due to a Counterfeit Trezor App

Apple’s reaction to the theft of $2 million was expectedly nonchalant. With its infamous reality distortion field in full force, the company issued the following statement via spokesperson Fred Sainz:

“User trust is at the foundation of why we created the App Store, and we have only deepened that commitment in the years since… Study after study has shown that the App Store is the most secure app marketplace in the world, and we are constantly at work to maintain that standard and to further strengthen the App Store’s protections. In the limited instances when criminals defraud our users, we take swift action against these actors as well as to prevent similar violations in the future.”

A quick yet thorough search of Google didn’t reveal one such study, nor a multiplicity. Apple’s newsroom doesn’t feature an article referencing App Store security research. Apple’s spokesperson also fails to reference such research in his statement.

As for its customers, beyond a hollow pledge of security, there appears little concern for their loss. There’s no mention of the company refunding its customers’ wealth. The company with the world’s largest market capitalization is doing little for its swindled users beyond removing apps per request and banning bad actors. Perhaps that’s how it remains on top, as innovation proves elusive.

Beware of Counterfeit Apps

Consumers need to exercise care when installing any software on any system. Although Apple’s clever marketing assures end-users that the App Store is safe, this is patently false.

Satoshi Labs, Trezor’s developer, also bears some responsibility for the hack. The company surveilled the App Store, alerting Apple to the first two appearances of fake Trezor apps. Apple removed both apps, but its “whack-a-mole” strategy proved ineffective, and there’s still no will to ban apps with duplicate names.

Although the company went above and beyond, doing security work that’s Apple’s responsibility, it should harden its system against such exploits. Satoshi Labs makes both the key and the lock. They shouldn’t allow their key to work in a counterfeit lock.

Google fares better than Apple when it comes to sniffing out malicious apps. Apps with duplicate names of established software are generally not permitted. Google was able to protect users from every fake Trezor app. In this case, Android users were better protected than iOS.

Cryptocurrency Theft: A Growing Concern

The App Store’s recent malware debacle isn’t new and isn’t unique to Apple. Malicious actors conned several thousand people out of their cryptocurrency throughout the years employing many different schemes. Although the Google Play store does a better job of protecting users from counterfeit apps, Android users also succumb to cryptocurrency theft.

Blockchain currencies are the future, according to the Massachusetts Institute of Technology. Decentralizing currency and intellectual property holdings seems to be prospect, but it’s not quite here. Experts believe that widespread adoption of cryptocurrencies and blockchain assets is inevitable, with financial institutions’ ultimate demise.

The U.S. Treasury and most other governmental financial institutions haven’t bought into cryptocurrency. Unlike a bank account, your Bitcoin or other blockchain currency isn’t FDIC insured. Furthermore, there still isn’t one established cryptocurrency, and this may never be the case.

In virtually every regard, cryptocurrency is an emerging technology. You can buy some things with it, but don’t expect a bailout if you lose it all. It’s not a good idea to put your entire life savings in something bleeding edge, but it could have a tremendous upside. As with all risky investments, it’s best to proceed with caution.

For now, Android devices seem better equipped to handle cryptocurrency wallets like Trezor. Google’s vigilance and determination to remove duplicitous apps eliminates this concern. Still, cryptocurrency is bleeding edge. It’s best not to bet the milk money on emerging currencies, but it’s clear that they’re the future.

Leave a comment

Your email address will not be published.