- As ever, fraudulent crypto wallets are finding their way onto app stores and scamming users out of funds.
- Some crypto scam apps are repackaged after being taken down and sneak past Apple and Google’s app store vetting processes.
- Before using any cryptocurrency wallet, it’s imperative to verify its authenticity and reputation.
The developers labelled it “Data Not Collected” with Apple’s “nutrition labels,” which are meant to let users of the app store easily identify what information apps will gather about them and make decisions accordingly.
There’s just one problem: Trezor doesn’t have an app.
This app was leveraging the Trezor brand to execute one goal – steal users’ Trezor passphrases and private keys via phishing, according to analysis conducted by Sean O’Brien, principal researcher at ExpressVPN Digital Security Lab.
The app was small and simple, consisting of three screens, but did nothing other than steal your Trezor passphrase or seed phrase.
CoinDesk learned of the existence of this scam app and sent it to O’Brien to investigate.
“The app will send any data the user enters into the ‘Key’ field to a server that is not Trezor.io when you click ‘Create My Vault’,” O’Brien reported to CoinDesk.
The fake crypto app has since been removed from the app store by Apple, but it was up for days. During that time it garnered multiple one-star reviews, with users explicitly calling it a scam. Still, it seemingly managed to avoid Apple’s app-checking process.
New bull market for crypto scammers
Over the years, a pattern has emerged: When there are booms in crypto, an increase in fraudulent apps isn’t far behind.
It’s not just an Apple problem. CoinDesk also identified multiple fake wallet apps that were stealing users’ data and keys in the Google Play store.
“There will absolutely be more scam apps (and fraud in general) during boom times,” said Richard Sanders, lead investigator and principal at CipherBlade, a blockchain investigation firm.
“The reason for this is that the boom times usher in a new wave of people that want to ride the hype train and make some money. The issue with that, as is the fundamental issue that results in the overwhelming majority of scams/hacks, is these people fail to do research on what they’re investing in.”
In following the traffic of the fake Trezor app, O’Brien saw the text entered into the “Key” field by the app user being sent to the domain https://www.data-bcvault.com – a scam website hosted by Wix.com that is pretending to be “BC Vault,” another hardware wallet product.
CoinDesk has alerted Trezor, Apple, Wix and the scam site’s cloud computing provider of our findings. Wix has since disabled the site.