Bitcoin Scam App Approved by Apple Robs iPhone User of $600,000+

[jonblatho]

Now imagine the scam app says "Obscure <Bank Name>" on it, but is described as eg "interest rate calculator", the developers claim (during review) it is unrelated to banking, and only changes to ask for Bank Credentials after it's been through review.

Roll the tape:

Apple says the fake Trezor app got through the App Store through "a bait-and-switch." It was called Trezor and used the Trezor logo and colors, but said that it was a "cryptography" app that would encrypt iPhone files and store passwords. The developer of the fake app told Apple that it was "not involved in any cryptocurrency."

Basically, the most charitable interpretation here is that Apple allowed an app into the App Store which infringed on an established company’s intellectual property (its name, logo, and brand).

It also doesn’t take a tremendous amount of research to figure out that Trezor is a cryptocurrency company; the description under the first result for “trezor” in both Google and DuckDuckGo explicitly mentions cryptocurrencies. What business does this company have releasing a “cryptography” app?

App Review approaches worthlessness for the sake of speed. I’ve had updates approved in less than 10 minutes in the “In Review” status. That’s great for shipping updates quickly, but it’s absolutely a double-edged sword.

 

[Solomani]

Looks like Apple owes someone $600k...
oh wait, $300k...

Nope, now $750k.

LOL. Apple should wait until the next BTC crash, and then "compensate" when BTC is back down to $15,000 a coin.

 

[Stephen.R]

Basically, the most charitable interpretation here is that Apple allowed an app into the App Store which infringed on an established company’s intellectual property (its name, logo, and brand).

A company that specifically is not present in the App Store. If Satoshilabs have issue with others operating legitimate apps in markets they themselves do not operate in, they have two options: a trademark lawyer, or file a complaint with Apple.

People already lose their **** over Apple enforcing the rules they have - you want them to add "comprehensive worldwide trademark compliance" to that? What happens if a company called Trezor wants to make a smart door lock. Should they be excluded from the App Store, because Satoshilabs have a product called "Trezor" and they use the most generic looking padlock icon you could image?

It also doesn’t take a tremendous amount of research to figure out that Trezor is a cryptocurrency company;

You've just disproved (edit: re-wrote, missed a word) my your own point, because Trezor isn't any company related to this story. It's a product name. The company that makes it, is called Satoshilabs. Trezor is however a vaguely-technology company registered in Alabama. And several dental clinics apparently.

What business does this company have releasing a “cryptography” app?

Which business? The actual Satoshilabs? Or the "scammers"?

If you mean the former, it's not uncommon for companies to offer vaguely-related apps on iOS that use the same branding, but differ somehow. Cryptographic hashes are the basis of any cryptocurrency, and Satoshi labs also offers a password manager that can use the same hardware device.

If you mean the latter? Who knows. What business does any company have releasing anything?

I’ve had updates approved in less than 10 minutes in the “In Review” status. That’s great for shipping updates quickly, but it’s absolutely a double-edged sword.

Yeah no ****.

One would presume that the initial reviews are longer, and that Apple then tends to put some level trust in developers making updates to apps that are already in the store with positive reviews.

The alternative is they distrust all developers, and app review times balloon out to ridiculous levels.




I don't write software for Macs/iOS, so I don't have to deal with this issue, but I'd be pretty ****ing annoyed if a vendor I depend on for delivery of my product said that they were going to essentially distrust all established developers because stupid people can't follow simple instructions.




This wasn't "granny downloaded "Fake Gmail.app" and now her Facebook account is hosting pictures of lemon party".

One idiot, bought an offline hardware wallet, and then completely failed to grasp how to use it.

 

[cyb3rdud3]

You can't go out of the garden on ios.

I go out of the garden daily, all the time..I can't build in the garden and share it without planning permission. But not problem going out it at all...

 

[cyb3rdud3]

Apple bootlickers: Apple's being the sole point of iOS software distribution is good because it keeps iOS safe from malware and bad actors.

Also Apple bootlickers when someone gets scammed out of $600,000 by using a App Store phishing app: It's the user's fault they got scammed for dealing in cryptocurrency and/or failing to do their research.

Alright, fair enough I guess, now imagine someone pulls off this same attack with a scam bank app and gets users' credentials and account information fraudulently.

Also, isn't the whole point of the App Store that it's a so-called "trusted marketplace" where users shouldn't have to worry about these kinds of attacks? That a user shouldn't have to "do their research" on whether an app is legitimate?

Why imagine another scenario when we have a report of this scenario? It is utterly pointless to try and bring someone else in that is very different. Have you ever used a hardware transaction signing device?

 

[MacBH928]

The manufacturer of the hardware device in question states this, in their "Security Best Practices" (emphasis theirs):



I find it highly unlikely the guys physical device told him to download an app from the App Store (they don't have their own official iOS app) and put in whatever 'secrets' it asked for.

There are numerous stories about apps using deliberate deception to pass App Store review, before becoming malicious in some way after published.




Imagine if you will, a bank that markets itself as being for the ultra-paranoid, in the modern world of phishing scams and card skimmers.

They issue no physical card. They offer no phone apps. They offer _just_ a website, that you use with a physical token plugged into your device, and they tell you to only ever enter your super secret password when the physical device tells you to.


You then download an app that bears their name/logo, and proceed to enter your super secret password into the screen, without any connection to the physical token, much less the token telling you to do so.


Software cannot prevent stupidity.

Can you actually point to the wording “pre-approved?” Or even guaranteed to be virus and malware free?

The real issue is that there is no free market, governments keep interfering in them and creating imbalance with the intention to remove imbalance.

I'm sorry but you don't seem to understand the actual issue here. Even if it was a legit application and not trying to fake it, the action the guy undertook should never take place on a mobile device. That is not Apple's fault to guard against such basics of someone else product.

This check could have passed all those checks. And there is nothing illegit about it. Sharing recovery keys like that is just stupidity of the first order. That is not Apple's or any other companies fault. The product that he uses clearly states that you shouldn't do that. Heck you should store it in parts off-site and well protected. Don't let anyone have the full seed.

Apparently the app changes itself after install. They claimed it was an app to secure your phone during review. Then the app changed.

It also doesn’t seem to be the version Apple approved. Some changes were made.

How did this guy know what it was if it was described as something else?

These questions need answering to understand who exactly is defrauding who...

All your arguments are true except for one thing, when I deal with the official App Store its Apple's promise that they do so to approve apps before they get on the store in a review processes and they review the updates too.

Worst case scenario this should not have been a scam app, he trusted Apple not to allow scam apps in the store despite how stupid he is. Like on MacOS, buying from the App Store and not the web, is to ensure that the software is non-malicious.

 

[cyb3rdud3]

All your arguments are true except for one thing, when I deal with the official App Store its Apple's promise that they do so to approve apps before they get on the store in a review processes and they review the updates too.

Worst case scenario this should not have been a scam app, he trusted Apple not to allow scam apps in the store despite how stupid he is. Like on MacOS, buying from the App Store and not the web, is to ensure that the software is non-malicious.

Not really. The recovery seed for an offline hardware signing device simply does not belong ever in any online software. Don’t even put it in word document. Just never ever do that. Don’t put it in the iMessage app when “trezor” or “ledger” supports asks you for it. Don’t put it in the official mail app when anyone asks you for it. I guess all these other apps, and the ledger scams are very real ever since their customer database was hacked, are apples fault as well?

What people don’t seem to understand, the software doesn’t need to be malicious. The software doesn’t even have to do anything.

Anyway what I do agree with is that Apple needs to step up it’s game for post installation changing applications. But that is a fine balancing act. I think that in general they have got it right. Protect us from apps that are malicious and can get to our data and the likes without is knowing. But don’t smother us to protect a handful of people who seem to fail at the absolute basics of why they got such a device in the first place.

 

[Stephen.R]

All your arguments are true except for one thing, when I deal with the official App Store its Apple's promise that they do so to approve apps before they get on the store in a review processes and they review the updates too.

We don't know whether the malicious behaviour was activated by an updated version, or if it just does a check on startup against some external resource, and presents differently when used from e.g. an Apple owned IP, or after review has passed, etc.

Based on the information in the original article, I'd guess this is the App in question: https://sensortower.com/ios/US/nataliia-tkachenko/app/trezor/1549997003/overview

This is the description it was listed with:

Controlling the way you're sharing data has never been more comfortable. We maintain all leading cryptos in the market: RSA (SHA 256, 128), AES, DES.

Manage your communication efficiently. Start simply by picking up your crypto and finally write down the items you want to secure. it's that simple

Website: https://trezorcrypto.com/
Privacy Policy: https://trezorcrypto.com/privacy-policy/

We are looking forward to hearing from you. Please email us at support@trezorcrypto.com.

DISCLAIMER: We use the word "Crypto" to describe cryptography methods, such as RSA, AES, DES, and it has nothing to do with cryptocurrency.

Regardless of Apple not acting as trademark police, or detecting when an App switches to malicious behaviour - what kind of person is reading that, and saying "Ok, sure, I guess this is the thing I want to trust when checking the status of my life savings".

 

[cyb3rdud3]

...

Regardless of Apple not acting as trademark police, or detecting when an App switches to malicious behaviour - what kind of person is reading that, and saying "Ok, sure, I guess this is the thing I want to trust when checking the status of my life savings".

Indeed, and especially so after they've gone through the 'trouble' to protect their assets by NOT using a software wallet but utilise a hardware device for protection and signing. It is truly beggars believe why someone would spend money to protect themselves to avoid using software to then actually compromise their device by using software.

 

[Stephen.R]

Indeed, and especially so after they've gone through the 'trouble' to protect their assets by NOT using a software wallet but utilise a hardware device for protection and signing. It is truly beggars believe why someone would spend money to protect themselves to avoid using software to then actually compromise their device by using software.

 

[Maximara]

Roll the tape:

Basically, the most charitable interpretation here is that Apple allowed an app into the App Store which infringed on an established company’s intellectual property (its name, logo, and brand).

I don't think you understand the concept of "bait and switch".

Nevermind trademark is a total different IP than copyright. Game Theory: The HORROR That Threatens SCP shows that Trademark IP is not as broad as Copyright IP. This is why Burger King was Hungry Jacks in Australia - a company with the name "Burger King" in the food industry existed there when they came to open stores there.

In First to File countries trademark is a real mess as someone else can trademark your name, logo, and brand there and you have to fight. This little piece of joy happened to Starbucks...for 3 years.

 

[Maximara]

We don't know whether the malicious behaviour was activated by an updated version, or if it just does a check on startup against some external resource, and presents differently when used from e.g. an Apple owned IP, or after review has passed, etc.

Based on the information in the original article, I'd guess this is the App in question: https://sensortower.com/ios/US/nataliia-tkachenko/app/trezor/1549997003/overview

Assuming it kept the same description I don't understand how anyone could think that was for cryptocurrency.

The more I read of this the more I am reminded of a scene in a Superfriends cartoon. In it Bizarro Cyborg says "I learn about technology. Watch me interface with computer." At which point he slams his head into the screen.

 

[31 Flavas]

Real banks and financial institutions have protections in place to reduce the occurrence of these scams, or at the very least give a hope of getting the money back. With cryptocurrency there is no such hope.

You know that despite these "protections" you speak of scammers made away with billions in COVID relief funds? They continue to make millions from scamming though tech support or dating / romance scams. How much of that is ever going to be recovered or returned? Does any kind of insurance cover any of this? Not to mention the "legitimate" businesses that take advantage of elderly / senile individuals by selling them extremely over priced medical equipment, adjustable mechanical "beds" or assisted living. How much hope do these individuals have?

Scammer are going to scam and the US dollar, euro, FINCEN provide no protection or cover. No seriously. I don't think you realize who the actual "scammers" are, even. Who went to jail after the 2008 financial crisis? These were real banks and real financial institutions involved in these sub-prime mortgage loans and the credit derivatives used to back them. You actually think the Federal Reserve is acting in everyones best interest by buying up these toxic assets? And are you really on board with the quantitative easing the Fed has done now?

Even going back to "traditional" scammers the like you and the article are talking about - Western Union and Money Gram have been so thoroughly abused that they don't have any choice now but to actually actively try to protect individuals from Nigerian 419 and Indian tech scams. Who got any of their money back before these protections were put in place? How is it that these victims can still, today, make withdrawals of thousands of dollars from their bank accounts for these scams.

This is another example of why cryptocurrency is a bad thing, on top of being bad for the environment.

Well, we'll see, how much you're right about that. But just know that US retail banks are very much pivoting on their prior staunch resistance of it. Not because they've found a way to exploit it for their own gain - but because they're realizing that not only is their own "earned" profits and cash at risk. But, that they're losing billions as individuals withdraw their cash into crypto and stable coin. If they don't provide crypto access to their customers then their customers just withdraw that cash from the system forcing them to close out usually 10x leveraged positions they had using that money. The pain crypto is causing them is forcing them to change for your benefit. You might actually see interest in a savings account in the future.

Yea ... you can get scammed with crypto. But, you are hilariously over selling the protections that "real" banks and "real" financial institutions and that AML or FINCEN or FDIC provide. Getting US dollars or any currency back after being scammed, for practical purpose, doesn't ever happen.

But, yea.... crypto is a bad thing.

 

[orthorim]

Real banks and financial institutions have protections in place to reduce the occurrence of these scams, or at the very least give a hope of getting the money back. With cryptocurrency there is no such hope.

This is another example of why cryptocurrency is a bad thing, on top of being bad for the environment.

EDIT: I love how this reply is exactly as controversial as I expected it to be.

Yes I too would like the most corrupt people on the planet, the 1% of the 1% who are behind most wars, most crime, and most child sex trafficking, to secure my currency. That is why I choose fiat.

Because they can "protect" us from taking responsibility for ourselves, which we clearly can't.

J/K

As an aside, Trezor and other Harware wallets are specifically designed to prevent theft of this kind. The user there wasn't paying attention because such a theft is impossible when you use your Trezor as it was designed to be used.

That's why there's a small display on the HW device, showing you what it's actually going to do.

If you have a hacked computer, or hacked phone, or fake app - none of that matters. The hardware wallet is unaffected by all this, and it shows what you're about to do. If you don't look at the screen and notice that it wants to send your 17 BTC to sergej in the Ukraine, and you hit the "OK" button and enter your PIN code... then that's on you. That's why you got a HW wallet.

Start taking responsibility for your actions and the world will become a better place.

And for the absolute newbs here, I am designing / creating a cryptocurrency where it is absolutely possible to reverse scam transactions. The main issue is how to do that while giving you full control. That's not so easy. There then has to be a decentralized arbitration court.

On the balance it's still better than giving all your money to the most currupt 1% of 1% and having no ownership of it whatsoever, just hoping the bank, which actually owns YOUR money, won't screw you over or go bankrupt. Or decide they just don't want to give you your money anymore. ....

 

[Mike Reed]

...

Oh and you cant be possibly for crypto and for the environment. As one crypto transaction has the same carbon footprint as a household uses for a month.....let that sink in for a second.

I don’t view crypto as necessarily having a massive carbon footprint - it depends on what’s generating the power. Electric cars would be incredibly dirty if they were only powered by coal plants.

 

[1258186]

How would permitting apps that don't require Apple's approval have prevented this?

Might make Apple try harder to prevent scam apps getting onto the AppStore in the first place.

 

[goobot]

Apple’s approval process has always been terrible.

 

[macfacts]

Apple allowing this app in the store is like a city allowing some fake bank get a business license.


So the apple mall has a fake bank inside it, and people continue to go-to the apple mall.

 

[cyb3rdud3]

Apple allowing this app in the store is like a city allowing some fake bank get a business license.


So the apple mall has a fake bank inside it, and people continue to go-to the apple mall.

Oh the irony of your username when you make posts like that. I guess you don’t read anyone else’s posts to educate yourself regarding facts?

 

[jonnyb098]

I don’t view crypto as necessarily having a massive carbon footprint - it depends on what’s generating the power. Electric cars would be incredibly dirty if they were only powered by coal plants.

Do you really believe it’s possible to power massive computer farms mining bitcoins off wind power?! the vast majority of power is from natural resources so yes gas and coal.

 

[cyb3rdud3]

Do you really believe it’s possible to power massive computer farms mining bitcoins off wind power?! the vast majority of power is from natural resources so yes gas and coal.

And what do you compare it to? Do you think the “standard” payment systems and networks are eco friendly? Banks and associated service providers don’t use computers or data centres? Don’t use cryptography? Or that they haven’t been using blockchain technology settlements and obligations at all?

I think you’d be amazed if you knew what is already happening

 

[ruthlessjoachim]

Real banks and financial institutions have protections in place to reduce the occurrence of these scams, or at the very least give a hope of getting the money back. With cryptocurrency there is no such hope.

This is another example of why cryptocurrency is a bad thing, on top of being bad for the environment.

EDIT: I love how this reply is exactly as controversial as I expected it to be.

Gee people who like this are broke 😆

 

[cyb3rdud3]

Real banks and financial institutions have protections in place to reduce the occurrence of these scams, or at the very least give a hope of getting the money back. With cryptocurrency there is no such hope.

This is another example of why cryptocurrency is a bad thing, on top of being bad for the environment.

EDIT: I love how this reply is exactly as controversial as I expected it to be.

Wow, so you admit you are simply trolling. Why not do something constructive for once.

 

[zorinlynx]

Wow, so you admit you are simply trolling. Why not do something constructive for once.

It's not trolling; that's my actual opinion.

I just figured as I was posting that there'd be a decent split between folks who agree and disagree. It's always interesting to see your predictions come true.

 

[Ferrit70]

The big difference with banks, is that there is a law that federally insures some of it. If the guy had his $600,000 in a bank and the bank went under he'd still only get the $100,000 FDIC covers. In a better scenario, the customer gives his account info to someone (the Trezor info) and gets ripped off. Again, the bank doesn't owe him anything. Not sure if the FDIC pays anything out either, but doubtful.