Bitcoin security tips
Crypto crimes: fake apps and software scams
Learn how app scams work so you can protect yourself and your crypto. Get a Trezor hardware wallet today.
Fraud is a problem society has always had to put up with. From scribes lamenting low-quality building materials to Silicon Valley starlets raising investments for non-existent technologies, scammers constantly come up with new ways to deploy social engineering and misdirection to swindle individuals out of their savings. With crypto, the same old methods are repackaged to take advantage of digital, permissionless and irreversible transactions, allowing scammers to more effectively evade justice.
This article kicks off a new series of blogs focused on protecting the crypto community from scammers. Each will break down a different tactic used by fraudsters to rip off unsuspecting users, and highlight the warning signs that signal when to back away from a potential scam. Trezor is committed to protecting its users through education as well as our products. Since crypto is for self-custody, that means security starts with each individual hodler. Read on and learn how to stay safe.
Contents:
- Fake crypto apps are everywhere
- How fake crypto apps steal from you
- Why fake app scams are so common
- Warning signs of fake apps
- How to protect yourself from fake app scams
- What to do if you are scammed by a fake app
Fake apps are everywhere
As operators of the two largest smartphone operating systems, both Google and Apple appear as strict gatekeepers when it comes to the apps they allow publishers to list on their app platforms. This has been proven to be false, as malicious apps of all kinds continue to proliferate across both stores.
Apps should never be trusted just because they have been approved by and listed on one of the official app stores. These marketplaces are full of dangerous apps, yet the perceived security of being in a ‘walled garden’ — a place where only supposedly secure, approved apps can be listed — is a harmful illusion that leads users to let their guard down instead of recognizing the warning signs.
Whatever the app you download, there is always the chance that it is compromised in some way. While we tend to overlook the fact that even official apps do little more harvest user data, truly malicious apps discussed here go one step further and seek to harvest user funds directly from their bank account or crypto wallet. Lets look at how they do it and what warning signs to look out for.
How fake crypto apps steal from you
There are different types of crypto scams which come packaged as fake apps. We’ll cover the most common, which are phishing apps: ones which try to extract sensitive information, usually just by asking an inexperienced user to enter it manually. In crypto, the most sensitive information is your recovery seed. Other more elaborate scams also exist, where they sell lending services or imitate an exchange — we’ll cover those tactics in a later blog.
The most commonly reported type of fake app related to Trezor is a mobile app that claims to operate with your Trezor hardware wallet. No mobile apps currently exist for Trezor hardware wallets. Once downloaded, the app claims to encounter an error and instructs users to type their recovery seed into the app using their mobile keyboard. Never enter your seed directly into a mobile or computer, and only use your seed when your Trezor hardware wallet tells you to.
As soon as the victim enters their seed, the contents of their wallet can be taken by the attacker with little hope of ever getting it back. The effectiveness of this scam is explained by two things: the victim is made to act with urgency and overlook the warning signs; and it only takes a few moments to make an irreversible mistake, so even experienced users can fall for it in a lapse of concentration.
Phishing highlights both an education gap as well as an opportunity to improve user experience across the crypto industry. Things need to be simplified so users don’t need to constantly fear making catastrophic mistakes. Trezor Suite was made as a standalone desktop app, a self-contained ecosystem with an easy interface that offers full control of crypto in one place. By reinforcing good security practices and designing a more resilient environment for crypto users, we can all help minimize the impact of app scams.
Why app scams are so common
Anyone can accidentally download a fake crypto app. The way app marketplaces present themselves, there appear to be multiple safeguards in place, so a fake app is often just a search away. The supposed security of app marketplaces is misleading, as their data and processes can be easily gamed. As careful as you may be, you could still accidentally download a suspicious app.
When malicious apps slips into a marketplace like the App Store, the app passes certain security checks and is determined to be safe. But Apple’s checks are not comprehensive, nor can they be, and the app can be modified after approval. That’s why any software installed on a device used for crypto should always be treated with caution until you can verify it is legitimate.
“Criminal app developers can break Apple’s rules by submitting seemingly innocuous apps for approval and then transforming them into phishing apps that trick people into giving up their information, according to Apple.” — Washington Post
Unfortunately, this is difficult since the main ways to verify an app — by looking at the App store ratings, downloads and comments — is easy to fake using hordes of bot accounts that provide artificial reviews and vouch for the app’s safety. This makes it very hard to distinguish a real app from a fake one.
“When Christodoulou opened up the written reviews, he read complaints from other people who had been scammed in the same way. The five-star ratings that helped make the app seem legitimate must have been fake, he concluded.” — Washington Post
In March 2021, the Washington Post caught on to the lack of moderation by Apple’s app store team causing one user to lose 17 bitcoin. While it attracted a lot of attention and even a response from Apple, nothing appears to have changed about how marketplaces verify the apps they list. Six months later, we continue to find new fake apps on an almost weekly basis.
Warning signs of fake apps
As with any scam, there are a number of warning signs to look out for, which can help identify scams long before facing any real risk. With proper diligence, there is no reason to fall victim to a fake app scam.
Be critical of reviews and ratings.
While we’ve already established that marketplaces themselves cannot be trusted to moderate the apps on offer, or even ensure comments and rating are legitimate, taking a cross-reference of all the available data is important to gather a first impression.
“The Play Store listing had an almost five-star rating, a couple of primarily fake reviews, and around ~500 downloads. It looked somewhat believable to the casual user.” — Kamil Vavra
Often, fake reviews and ratings will be created to accompany a fake app, so it is important to dig into these and look for negative reviews and warnings from real users, which are often buried beyond the first page.
Be conservative with app permissions.
The app industry places data collection ahead of users’ best interests. There is a dangerous tendency for apps to demand access permissions unrelated to the function they provide. Even with legitimate apps, you should never give access to parts of your device that are not essential to the app’s function. To avoid falling for a malicious app, learn to be critical of all the apps you use, lest you further erode your privacy.
Confirm that an official app actually exists.
Legitimate official apps are developed and maintained by teams of real people, working for real companies. Before you download any app, or any software of any kind, take a few seconds to confirm that the project actually exists. In the case of crypto, this minuscule effort could be the difference between protecting your life savings or losing them all.
Trezor has not yet launched any mobile app for use with your hardware wallet. Do not download any Trezor app from any app marketplace: they are all fake and designed to steal your money.
Do not use your seed unless directed by your Trezor.
Installing a fake app may deploy spyware or sophisticated hacking tools on your phone. This is a problem, but it won’t matter to hardware wallet users’ funds. If you secure your crypto with a Trezor, the risk is not spyware but simple phishing. Fake apps are usually built very cheaply and simply, serving just one function: to ask users to enter their seed words and transmit them to the app’s creator.
“I found a fake Trezor Mobile Wallet app in Google Play Store. When I opened it it asked for my seed words. I uninstalled it right away.” — Reddit user Aidfarh
As we state in many places, your seed is used only when recovering your device and will always be initiated by the Trezor device itself. Do not enter your seed into an app or website unless you first start the recovery process using your device, and then only do so by following the secure process outlined on Trezor wiki.
“the Android application was just a WebView for the phishing website. The only functionality was to enter the 12/24 backup word phrase to connect the Trezor. Anyone who uses Trezor should know that you are never supposed to enter it anywhere, but sadly, people are still falling for it.” — Kamil Vavra
How to protect yourself from fake app scams
Cryptocurrency is built on independent custody, so security must also start with the individual. It is the fault of the app stores that they fail to keep scams out, especially since they charge commissions for ensuring a safe and secure service, but even though this is acknowledged it is best to assume that there will always be fake crypto apps lurking online.
Educating yourself and others about what warning signs to look out for is essential. Often it is easy to identify a fake app with a little diligent research. More importantly, however, is to understand that your seed is all an attacker needs to access your crypto. Your seed must always be kept private and secure.
Use a hardware wallet.
To keep your seed safe, make sure you use a hardware wallet to generate and store your seed offline. This stops malicious apps from searching for your seed on devices or networks you use, and even protects your seed on the rare occasions when you need to recover your coins.
With a hardware wallet, you will never need to type your full seed into a computer. If at any point you are asked to do so, someone is trying to scam you. Seeds should be entered directly on Trezor hardware wallets, and the process is always guided by your Trezor, so you can be sure that any other method you are asked to use is a fraud.
Stick to verified apps.
Always be cautious with anything you download for crypto. Transparent open source wallet interfaces like Trezor Suite let you verify that the software isn’t hiding any malicious code. Trezor Suite also makes it simple to carry out everyday crypto operations in one place without needing to depend on lots of different apps and websites.
Remember, there is no official Trezor mobile app on mobile marketplaces. Trezor Suite can be connected to at suite.trezor.io from a mobile browser to enjoy the same experience on the go.
What to do if you are scammed by a fake app
If you have lost funds due to a fake crypto app scam, there is probably nothing you can do to get your money back. Unfortunately, cryptocurrency transactions are final and can’t be reversed, so the best hope of recovery is following a conventional report process through law enforcement. In some cases, it is possible to trace the funds until the criminal attempts to convert them to regular fiat currency, at which point they are often caught.
Fake crypto apps are a growing problem which the platforms they appear on are not addressing. Preventing users from downloading the apps in the first place means raising awareness about the issue. Most important is to teach newcomers that protecting one’s seed is essential to securing digital assets and it should not be taken lightly. If this article has helped your understanding of fake crypto apps, please do your part and share it with others to make it safer for everyone.
