A scam bitcoin app that was designed to look like a genuine app was accepted by Apple's App Store review team and ended up costing iPhone user Phillipe Christodoulou 17.1 bitcoin, or upwards of $600,000 at the time of the theft, reports The Washington Post.
Christodoulou wanted to check on his bitcoin balance back in February, and searched Apple's App Store for "Trezor," the company that makes the hardware device where he stored his cryptocurrency. He saw an app with the Trezor padlock logo and a green background, so he downloaded it and entered his credentials.
Unfortunately, the app was fake, and was designed to look like a legitimate app to fool bitcoin owners. Christodoulou had his total bitcoin balance stolen from him, and he's angry with Apple. "Apple doesn't deserve to get away with this," he told The Washington Post.
Apple reviews all App Store app submissions to prevent scam apps from being downloaded by iPhone users, but there are plenty of scam and copycat apps like the fake Trezor app that slip by and have major consequences for iPhone users.
Apple says the fake Trezor app got through the App Store through "a bait-and-switch." It was called Trezor and used the Trezor logo and colors, but said that it was a "cryptography" app that would encrypt iPhone files and store passwords. The developer of the fake app told Apple that it was "not involved in any cryptocurrency." After the fake Trezor app was submitted, it changed itself into a cryptocurrency wallet, which Apple was not able to detect.
Meghan DiMuzio, the executive director for the Coalition of App Fairness that counts anti-Apple companies like Epic Games as a member, said that Apple "pushes myths about user privacy and security as a shield against its anti-competitive App Store practices." She said that Apple's security standards are "inconsistently applied across apps" and "only enforced when it benefits Apple."
Apple spokesperson Fred Sainz told The Washington Post that Apple takes swift action when criminals defraud iPhone users.
User trust is at the foundation of why we created the App Store, and we have only deepened that commitment in the years since. Study after study has shown that the App Store is the most secure app marketplace in the world, and we are constantly at work to maintain that standard and to further strengthen the App Store's protections. In the limited instances when criminals defraud our users, we take swift action against these actors as well as to prevent similar violations in the future.
Apple declined to comment on how often scam apps are found, nor how often they're removed from the App Store. The company did, however, say that 6,500 apps were removed last year for "hidden or undocumented features."
Apple acknowledged that it has discovered other cryptocurrency scams on the App Store, but did not provide specific details on numbers nor whether there had been fake Trezor apps in the past. Trezor does not offer an iOS app at all, and Trezor spokesperson said that it had been notifying Apple and Google about fake Trezor apps "for years."
Apple would not provide The Washington Post with the name of the developer of the fake Trezor app, whether that developer had other apps in the App Store under other names, nor would Apple say whether the name was turned over to law enforcement officials. Apple says that it removed the fake Trezor app and banned the developer after the actual Trezor company reported it. Another fake app popped up two days later, and Apple removed that, too.
UK-based cryptocurrency regulation company Coinbase said that it has received over 7,000 inquiries about stolen crypto assets since 2019, and fake apps found in the Google Play and App Store are common complaints. In fact, five people have had cryptocurrency stolen by the fake Trezor app on iOS, with losses totaling $1.6 million.
Data from Sensor Tower suggests that the fake Trezor app was on the App Store from January 22 to February 3, and was downloaded approximately 1,000 times. The 17.1 bitcoin that Christodoulou lost are worth close to $1 million today, and Christodoulou says that he's heard nothing from Apple on the subject.
Another iPhone user who lost $14,000 worth of Ethereum and bitcoin said that an Apple representative told him Apple was not responsible for the loss from the fake Trezor app.
