Several users of Trezor, a small hardware device that acts as a cryptocurrency wallet, have been duped by a fake app with the same name. The app was available on Google Play and Apple’s App Store and also claimed to be from SatoshiLabs, the creators of Trezor.
According to the Washington Post, the fake Trezor app, which was on the App Store for at least two weeks (from 22 January to 3 February), was downloaded 1,000 times before it was taken down. A fake Trezor app on the Play Store was downloaded by a similar number of users, but it's not clear how long it was available on the platform.
Those victimized by the fake app couldn’t tell that they were downloading a dodgy app. Apart from the mimicked name and visual style of the Trezor brand, victims have also reported seeing high rating reviews—155 reviews giving it close to a 5 star rating—a common tactic of criminal app developers looking to gain the trust of users.
Phillipe Christodoulou, owner of a dry-cleaning service was one of the many Trezor users who downloaded the fake Trezor app from the App Store. He wanted to check his cryptocurrency balance on his phone and decided to search for and download an app instead of plugging the device into his computer via a USB connection. He lost 17.1 Bitcoins, which was worth $600,000 USD at that time. At the time of writing it is worth more than $1 million USD.
A similar incident happened with James Fajcz, a reliability engineer, in December 2020. He bought both Ethereum and Bitcoin worth $14,000 USD with his savings after seeing the price of digital tokens rising that same month. To ensure his investment was secure, be bought a Trezor, and then downloaded its purported app on his iPhone. When the app didn’t connect to his hardware wallet, he assumed that the app didn’t work. After buying a second round of cryptocurrencies weeks later, he checked the balance on his Trezor device using his computer, but it was empty. He realized he had been conned out of his digital currencies when he reached out to the Trezor community on Reddit.
Both men didn’t know that an official Trezor app doesn’t exist, and both also blamed Apple for letting a fake app into the App Store, a space touted by Apple as "the most trusted marketplace for apps."
Both Google and Apple provide screening of apps before they're added to their app stores, but these incidents remind us that no form of screening is perfect. Successful criminals are good at finding and exploiting loopholes, or using malicious techniques that are hard to screen for. We don't know how this malicious app worked, but we can guess that it might simply transfer victims' cryptocurrency to a wallet (that happens to be owned by the app's creator), which is very similar to what a legitimate app would be doing.
With cryptocurrencies continuing to gain popularity, expect more scammers to bank on this wave. In May last year, Harry Denley, a cybersecurity researcher specializing in cryptocurrencies, revealed that he discovered almost 75 malicious Google Chrome extensions designed to steal money from cryptocurrency wallets.
Last month, CoinDesk went on a crypto scam hunt and found that both popular app stores have found fake crypto wallet apps.
Cryptocurrency owners are advised to be more vigilant than ever about phishing campaigns in the form of apps and extensions. Trezor users, in particular, should be aware that while there is no app for their hardware wallet now, there will be an official one in the future. Watch the company's official website and Twitter account for news on that and, until then, avoid downloading Trezor apps and heed the company's advice: never share your seed until your device asks you to do so.