Fake iPhone apps used to steal millions in cryptocurrency

Physical Bitcoin and Tether tokens.
(Image credit: Coyz0/Shutterstock)

One of the most tried-and-true methods for luring people into a scam is to promise victims "insider" access to financial riches that ordinary people can't get. It's how Wall Street financier Bernie Madoff signed up thousands of eager investors for his too-good-to-be-true Ponzi scheme. Now it's being used by scammers who promise their victims huge gains if they just install and use "special" smartphone apps meant only for insiders.

The scam is called "CryptoRom," and it's been around for a few months. As described by Sophos Labs researcher Jagadeesh Chandraiah yesterday (March 16), it's a trifecta of malice, combining romance scams, cryptocurrency scams and malicious Android and iPhone apps — the latter of which are usually very rare.

Victims have lost tens of thousands of dollars in these schemes. Just one of the many Bitcoin addresses used by the crooks has gathered $1.3 million in ill-gotten gains; you can probably multiply that several times to get an idea of the total take. 

The scheme initially targeted China, Japan, southeast Asia and the Indian subcontinent, but it has now jumped to western Europe and the U.S.

One victim told Sophos they themselves had been scammed, and said a friend was also "using [a] similar app called 'UBS global' + Binance."

"They are providing trading in crypto," the victim said. "Now when he tried to withdraw amount, they are asking for paid membership of $6,000."

Don't trust this love connection

Most victims are initially contacted through online dating portals, such as "Bumble, Tinder, Facebook dating and Grindr," as an earlier Sophos report said. Many of those sites offer some of the best dating apps we've tested.

Recently, Chandraiah said, some victims have been contacted via random WhatsApp messages, apparently after the crooks profiled them via social media and saw they had money to spend.

"We suspect that the crooks obtained contact information for their targets either through their own social media accounts or through compromised websites," Chandraiah wrote. "They also seem to obtain publicly available information and target those who are already into investment and cryptocurrency."

When dating apps are involved, the scammer uses a fake profile to build trust with the victim over several days or even weeks. Then the scammer tells the victims about a secret cryptocurrency investment that will make the victim a lot of money — the victim just has to install a special app.

Here's our first tip on how to avoid these scams: Don't trust anyone who claims to be your soul mate, yet never seems to be able to meet you in person, or even to have a FaceTime date. 

Second tip: If someone you don't know tells you they have a special tip on how to make money using cryptocurrency, run away fast.

Fake iOS apps and how they're even possible

These special apps aren't in Apple's App Store or Google's Play Store and must be sideloaded. That's easy to do on Android, but what about Apple devices? Doesn't Apple forbid users from installing iPhone apps that come from outside the App Store?

Not quite. Apple has a few procedures for letting app developers and large companies distribute apps privately. 

Big companies can install specific profiles on employee devices that let the iPhones and iPads install company-specific apps. Developers can get two different companion apps that allow sideloading of iOS apps for testing purposes — first during the initial development phase, and then later on for "test flights" just before formal submission to the App Store.

Crooks, including those running the CryptoRom scams, have been known to abuse the enterprise-deployment and developer-testing features. And now, as Sophos reports, they're starting to use Apple's TestFlight beta-testing feature to infect as many as 10,000 victims at a time.

In these cases, the victims are first asked to install the real TestFlight app from the App Store. The presence of that app lets an iPhone user then download and install what appears to be a "special" version of a well-known cryptocurrency or finance app from a website. 

These are fakes, of course, but to the victim they look like real apps provisioned by CoinBase, RobinHood, Bitfinex, Binance or other cryptocurrency platforms. 

Tip No. 3: If someone who isn't your employer asks you to sideload an Android or iOS app, don't. It's probably a scam with Android; with iOS, it definitely is.

The cryptocurrency shakedown

Once the fake app is all set up, the victim is asked to buy Bitcoin or another cryptocurrency through a legitimate exchange, then transfer it to the crooks through the "special" smartphone app.

Initially, Chandraiah said, the victims will indeed start to make money. They're even allowed to cash out part or all of their initial investments. 

But then the scammers prey on the promise of even bigger bucks to get the victims to invest more money. They'll even "lend" the victim an amount to make it easier. And that second round of investments is the one the victims will never see again.

Don't get us wrong — the investments do grow, at least according to what you see in the bogus app. But then there's a catch.

"When victims try to withdraw funds from their big 'profit,'" Chandraiah wrote, "the crooks use the app to inform them that they need to pay a 'tax' of 20% of their profits before funds can be withdrawn — and threaten that all their investments will be confiscated by tax authorities if they do not pay." 

If the victims do pay the "tax," that then gets "frozen" by the "authorities" and the money is still stuck. 

Preying on the victims one last time

This scam has become so widespread, Chandraiah wrote, than a secondary scam industry has sprung up "promising" to help victims recover their funds.

"Exploiting this desperation, a number of bogus cryptocurrency recovery services have sprung up that specifically target CryptoRom victims."

At this point, may victims realize their only option is to contact the police. But even then, there's often little that can be done. Cryptocurrency transactions cannot be reversed, and even when the chain of transactions is transparent, as with Bitcoin, there may be little legal recourse.

"Because of the nature of cryptocurrency and the fact that cross-border foreign transactions are involved," Chandraiah wrote, "it is difficult at best to recover funds through law enforcement or other legal channels."

Final tip: Don't invest cryptocurrency with someone you don't know. 

Granted, these crooks have convinced many victims that they are using Binance, Bitfinex, Coinbase or other legitimate exchanges. 

But it takes a big leap of faith to believe that those well-known cryptocurrency platforms would have secret spaces in which only a privileged few get to trade their assets and make more money than anyone else. Then again, maybe that doesn't seem so crazy.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.