As the Bitcoin (BTC) and crypto markets regain momentum and analysts predict sustained price growth, we should anticipate an increase in criminal activity attempting to exploit the trend and target new victims for theft. One particularly concerning type of crime is the proliferation of fake apps masquerading as legitimate crypto trading platforms. What's even more alarming is that these counterfeit apps are appearing on reputable app marketplaces such as Google Play, Apple's App Store, and Microsoft Apps.
Cybersecurity firms like Sophos and ESET have been issuing warnings about this growing threat for years. It appears that the mentioned marketplaces are struggling to provide comprehensive protection to their users against these fraudulent applications.
“If criminals can get past these checks, they have the potential to reach millions of devices. This is what makes it more dangerous for CryptoRom victims, as most of those targets are more likely to trust the source if it comes from the official Apple App Store,” researchers at Sophos warned earlier this year. CryptoRom is a type of scam where victims are lured into a fake crypto trading app through fake romantic relationships.
Also, in 2021, researchers at ESET discovered dozens of trojanized Android and iOS apps capable of stealing victims' secret seed phrases, or special codes needed to access your crypto assets, by impersonating platforms such as Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey. Additionally, Sophos identified fake apps posing as platforms from major crypto exchanges like Gemini, Kraken, Binance, Bittrex, and BitFlyer.
The most recent incident in the public eye occurred on Microsoft Apps this November. A counterfeit app mimicking the BTC and crypto hardware wallet manufacturer Ledger was uncovered in the marketplace. According to the pseudonymous crypto investigator ZachXBT, scammers managed to pilfer over $768,000 worth of cryptocurrencies such as BTC and ethereum (ETH).
A screenshot shared by ZachXBT:
“We have removed this application and are continually working to ensure malicious content is identified and taken down quickly,” a Microsoft spokesperson told Cybernews without elaborating any further.
Neither Google nor Apple responded to our inquiries regarding fake apps in their respective marketplaces and the measures being taken to address this issue.Meanwhile, legitimate crypto apps are facing challenges on these established platforms. For instance, earlier this year, the largest decentralized exchange, Uniswap, encountered issues on the App Store (which have since been resolved), while the most popular Ethereum wallet, MetaMask, was temporarily removed from the marketplace this past October.
In any case, as per security experts at Sophos, the fake applications manage to bypass Apple and Google's review processes by modifying remote content associated with the apps after they’re approved and published in their respective stores. Identifying fraudulent apps solely through code inspection is a challenging task for reviewers.
Simultaneously, criminals employ various tactics, such as engaging in extended communication on social media or dating apps like Tinder, to establish trust and entice their victims into downloading fake apps.
Once the criminals find their victims, they deceive people with a working but fake trading interface. However, the deposited funds are directed to addresses owned by the criminals. Furthermore, victims may be asked to pay a tax to withdraw their investments, further boosting the profits of the wrongdoers.
For instance, in the United States, a woman lost her entire inheritance and her father's life savings, totaling almost 400,000 $, after falling victim to a fraudulent crypto app.
Here's how this communication started:
And this is how it ended:
So, how can you stay safe from all these fake apps, and what red flags might warn you about potential issues?
Legitimate apps typically have a high number of downloads, sometimes in the millions. Additionally, pay attention to spelling errors (which can be more challenging to spot due to the rise of generative AI), what permissions the app requests, and consider verifying the app on the official page of the company.
The FBI also provides a few tips:
- Be cautious of unsolicited requests to download investment applications, especially from individuals you have not met in person or whose identity you have not verified. Take steps to verify an individual's identity before providing them with personal information or relying on their investment advice.
- Confirm the legitimacy of an app before downloading it by ensuring that the company offering the app actually exists, identifying whether the company or app has a website, and checking if any financial disclosures or documents are tailored to the app's purpose and the proposed financial activity.
- Approach applications with limited and/or broken functionality with skepticism.
If you have fallen into these traps, Sophos advises you to take the following steps:
- Report the incident to local authorities with expertise in fraud.
- Contact your bank to inquire about the possibility of reversing any transactions.
- If you used crypto asset transfers through an exchange, reach out to the operator and report the wallet address associated with the fraud.
- Avoid using services that claim online to be able to recover lost crypto assets, as they may be another trap.
For those interested in hearing real stories from victims of such scams, a two-part documentary totaling 24 minutes is available. Stay safe out there!
More from Cybernews:
Subscribe to our newsletter