Hundreds of Trezor users have been scammed by fake apps of the same name. The app is downloadable from Apple’s App Store and Google’s Play Store and claimed to be from Trezor developers, a hardware crypto wallet.
What is Trezor Crypto Wallet?
Trezor is a reputable hardware wallet made by a firm from the Czech Republic called SatoshiLabs. Cryptocurrency investors use hardware Crypto wallets to secure their investments better. Hardware wallets are small devices that look like USB thumb drives and plug into a computer via a USB connection.
However, if you need to access the hardware wallet or make transactions, you need to enter a pin. Without a pin, even the authorities can access a crypto wallet. If a hardware wallet is stolen, destroyed, or lost, the user can retrieve its contents from the wallet manufacturer’s website with the help of a secret seed phrase.
The seed phrase is like the master password used in password managers and must never be disclosed to anyone. With the seed phrase, anyone can access and steal the cryptocurrency stored within the hardware wallet just by knowing the seed phrase.
Cybercriminals Create Phony Trezor Crypto Wallet App
Cybercriminals mostly use phishing scams to deceive people into giving up their phrases. In this situation, crypto thieves developed a fake app to get individuals to enter their seed phrase.
Trezor doesn’t have a mobile app, and to clarify it, they have Tweeted a warning to its customer about the phony Trezor app and publish it on Google’s Play Store in December Apple’s App Store in January.
Over a thousand Trezor customers downloaded the app from the Apple App Store or the Google Play Store. Once installed, the app required victims to enter their seed phrase to connect the app for their cryptocurrency accounts.
One person who was deceived into entering their seed phrase in the phony mobile app was Phillipe Christodoulou. He didn’t have his hardware wallet with him, but he wanted to check his Bitcoin balance. Consequently, he looked for a Trezor App on the Apple App Store.
His search returned the App with Trezor’s real logo and nearly a five-star rating. Unfortunately, almost all malicious apps have such high ratings, which have been created artificially by cybercriminals. They also imitate the company’s existing branding, making the app challenging to recognize if it’s a fake one or a legitimate one.
Apple praises its Apple Store as “the world most trusted marketplace for apps.” Consequently, Christodoulou considered that the app was legitimate, downloaded it, and typed in his credentials. In less than a minute, 17.1 Bitcoins were stolen from his Bitcoin Wallet. The Bitcoins were worth $600,000 at the time of the breach but would now have been worth more than $1 million. The Bitcoins represented all of his life savings. The user saved only 1 Bitcoin, and that is because it wasn’t in the Trezor Wallet.
Application Stores’ Safety
Operating Systems application stores are not relatively as safe as the companies say. Both Apple and Google state that every app goes through an evaluation period before allowing it onto their App Stores. During this period, applications are reviewed to ensure their security, safety and are aligns with the store’s rules. However, Cybercriminals have found several ways to bypass this review process and get their malicious apps onto the App Stores.
Scammers usually bypass App Stores’ policy by submitting seemingly harmless apps for approval and later transforming the apps that trick users into providing personal and account information. Or the developers might morph the applications into dropping backdoors, as was the case with some of the malicious VPN apps discovered on Google’s Play Store the previous month.
In this situation, the fake Trezor Wallet app managed to get onto the App Store through a bait-and-switch technique. According to Apple, the phony app described itself as a cryptography app designed to encrypt files and store passwords on iPhones. Nevertheless, once the app was approved, the Trezor Cryptography app morphed into a cryptocurrency wallet.
Always Use Official Links
Of all internet scams, those including the theft of cryptocurrency are the most profitable for cybercriminals. Cybercriminals can steal millions of dollars in digital currency in a matter of seconds. Consequently, Crypto wallets are attractive targets for scammers. For Example, in May 2020, 75 Malicious Google Chrome Extensions were identified that were meant to steal digital currency from crypto wallets. Moreover, the crypto wallet maker Ledger also came under attack the previous year, during which 1 million customer records were breached.
Apple indicated that they do not know when apps morph into malicious applications and rely on customer’s feedback to report these. Once reported, both Apple and Google state that they remove the applications immediately. Unfortunately, this often means that hundreds of thousands of people get scammed before the application is identified as malicious and action is taken against them.
However, when it comes to digital currency-related apps, customers can download any available application from the wallet manufacturer’s official website. It is one of the safest methods of establishing whether the manufacturer has a mobile application.
It would be best if you also remembered that you must never disclose the seed phrase to anyone. And you must never enter it into any other application except your official wallet. A legitimate crypto wallet app would never ask for a person’s seed phrase.