Thousands of Trezor users have been scammed by a fake app of the same name. The app was downloadable from Google’s Play Store and Apple’s App Store and claimed to be from the creators of Trezor, a hardware crypto wallet.
What is Trezor?
Trezor is a well-known hardware wallet made by a firm from the Czech Republic called SatoshiLabs. Hardware crypto wallets are used by cryptocurrency investors to better secure their investments. They are small hardware devices that look like USB thumb drives and plug into a computer via a USB connection.
To access the hardware wallet and make transactions, a pin needs to be entered. Without it, not even the authorities can access a crypto wallet. If a hardware wallet is lost, stolen or destroyed, its contents can be retrieved from the wallet manufacturer’s website using a secret seed phrase.
The seed phrase is like the master password used in password managers and must never be disclosed to anyone. With this phrase, anyone can access and steal the cryptocurrency held within the hardware wallet. Even if they don’t know the pin.
Cybercriminals Create Fake Trezor App
Cybercriminals often use phishing scams to trick people into giving up their seed phrases. In this instance, crypto thieves created a fake app to get individuals to give up this phrase.
Trezor doesn’t have a mobile app and has tweeted a warning to its customers about the fake Trezor apps. However, the yet unknown crypto thieves created a fake app and put it on Google’s Play Store in December and Apple’s App Store in January.
Over 1,000 Trezor customers downloaded the app from the Play Store and about as many again from the App Store. Once downloaded, the app required victims to enter their seed phrase to supposedly connect the app to their cryptocurrency accounts.
Cryptocurrency Savings Lost
One such person who was duped into entering their seed phrase into the fake mobile app was Phillipe Christodoulou. He didn’t have his hardware wallet on him but wanted to check his bitcoin balance. Consequently, he searched the App Store on his iPhone to see if Trezor had created an app.
His search returned an app with Trezor’s real logo and close to a five-star rating. Unfortunately, most malicious apps have such high ratings, which have been created artificially by the scammers. They also closely mimic real companies’ branding making it difficult to spot a fake from a legitimate app.
Apple touts its App Store as “the world’s most trusted marketplace for apps”. Consequently, Christodoulou believed that the app was legitimate, downloaded it and typed in his credentials. In less than a second, 17.1 bitcoins were stolen from his account. The bitcoins were worth $600,000 at the time but would now have been worth more than $1 million. The bitcoins represented virtually all of his life’s savings. Only 1 bitcoin was saved and that is because it wasn’t in the hardware wallet.
Application Stores’ Safety
Online mobile application stores are not as safe as one may think or wish. Both Google and Apple state that every app goes through an evaluation period before it is allowed onto their mobile stores. During this period apps are reviewed to ensure they are safe, secure and don’t break any of the store’s rules. However, cybercriminals have found several ways to circumvent this review process and get their malicious apps onto the stores.
Scammers do this by submitting seemingly harmless apps for approval and then transforming them into phishing apps that trick people into providing personal and/or account information. Or they morph them into apps that drop backdoors, as was the case with malicious VPN apps discovered on Google’s Play Store last month.
In this instance, the fake Trezor app managed to get onto the App Store through a bait-and-switch technique. According to Apple, the fake app described itself as a cryptography app whose function was to encrypt files and store passwords on iPhones. However, once approved, the Trezor cryptography app morphed into a cryptocurrency wallet.
Always Use Official Links
Of all Internet scams, those involving the theft of cryptocurrency are the most lucrative for cybercriminals. Millions of dollars in digital currency can be stolen in seconds. Consequently, crypto wallets make attractive targets. For example, in May last year 75 malicious Google Chrome extensions were discovered that were designed to steal digital currency from crypto wallets. Likewise, the crypto wallet maker Ledger also came under attack last year during which 1 million customer records were breached.
Apple admitted that it does not know when apps morph into malicious apps and relies on customers to report these. Once reported, both Google and Apple state they remove the apps immediately. Unfortunately, this often means that hundreds of people get scammed before the app is identified as malicious and removed from the stores.
Consequently, when it comes to digital currency related apps, customers are advised to go to their wallet manufacturer’s website and download any available app from there. This is also the safest way of establishing whether the manufacturer has a mobile app available.
Needless to say, the seed phrase must never be disclosed to anyone. And it must most definitely never be entered into any mobile app. A legitimate crypto wallet app would never ask for a person’s seed phrase.