Apple sideloading was a key step in a $1.4 million cryptocurrency theft

Apple Enterprise provisioning — the system that allows companies to authorize home-grown apps for internal use — is a soft target.

From Mike Wuerthele’s “Thieves abused Apple’s enterprise app programs to steal $1.4 million in crypto” posted Thursday on AppleInsider:

The CryptoRom fraud implementation is fairly straight-forward — after gaining a victim’s trust through social media or existing data apps, users are fooled into installing a modified version of a cryptocurrency exchange, baited into investing, and then defrauded out of cash.

After gaining the trust of the victim through the dating apps, scammers start discussing cryptocurrency investments. They are then directed to a website that looks like the Apple App Store, and then told to download a Mobile Device Management profile, giving control of a number of features, and the ability to use signed apps made by the fraudsters.

Upon returning to the fake App Store webpage, the unsuspecting user is then prompted to download an app signed with a certificate associated with the Mobile Device Management profile through either Apple Enterprise provisioning or the Super Signature distribution method. The app in question is a bogus version of the Bitfinex cryptocurrency trading application.

The victim is then convinced to make a small investment into a cryptocurrency as a proof of concept, and is allowed to withdraw the profits. When a larger deposit is made, the victim finds that it cannot be withdrawn and is told by the assailant either just pulls the money for themself, that more must be invested, or a tax must be paid to pull the money out.

My take: A taste of the kind of trickery we can look forward to if the EU ever forces sideloading down Apple’s throat?

See also: Apple makes the case against sideloading

9 Comments

  1. David Emery said:
    Exactly… But the politicians, like the media and the ANALysts we talk about here, don’t care. It’s not about facts, but about ‘clicks’ (or votes.) It will be a huge challenge to convinced regulators to change their minds.

    2
    October 14, 2021
  2. Jerry Doyle said:
    “….They are then directed to a website that looks like the Apple App Store, and then told to download a Mobile Device Management profile, giving control of a number of features, and the ability to use signed apps made by the fraudsters.”

    My, my, my….

    “….In order to mitigate the risk of these scams targeting less sophisticated users of iOS devices, Apple should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple.”

    0
    October 14, 2021
  3. Greg Lippert said:
    This is why we can’t have nice things.

    The proposed rule changes but these ignorant governments are super-hostile towards the user and will result in large amounts of fraud, theft or worse.

    I want my iPhone and iPad to be secure and have zero interest in third-party stores yet that is what will happen.

    Wait til my senior citizen parents have to deal with security vulnerabilities – and a large % of users. They are ripe for exploitation.

    5
    October 14, 2021
  4. Fred Stein said:
    Apparently the scam is still active, and that $1.4M is just one victim.

    This expertly crafted scam exploits Apple’s good reputation, and people’s fascination with Bitcoin. But it’s really just like many other scams that send you a link to a fake site. Never click. Always find the site directly.

    I would love to see the statistics on the extent of fraud inside the iOS walled garden vs. outside, in the ‘open’ platforms. That would provide a rough proxy for how much more fraud could occur with side-loading.

    1
    October 14, 2021
  5. Fred Stein said:
    In the previous PED article, Counterpoint says iPhones got 50% of the smartphone revenue. From that 50%, we can estimate that the iOS base has about 50% of the wealth. Actually, I’d bet the % of wealth is much higher.

    The EU wants to double the TAM for fraudsters.

    3
    October 14, 2021
  6. Michael Goldfeder said:
    Can we confirm whether or not Vestager was a victim?

    0
    October 14, 2021
  7. Gregg Thurman said:
    The EU wants to double the TAM for fraudsters.

    Right on Brother, right on. Besides the ease of use and build quality et al, iPhone users have far more to lose through fraud than do Android users (on average).

    Nobody wins, not consumers, not vendors (weakened Brand) if this goes through.

    1
    October 14, 2021
  8. Kirk DeBernardi said:
    Cryptocurrency is here to stay as a means of direct exchange of value and apparently is being regarded by visionaries as the future paradigm to do so with one of its premises being “who needs a Treasury”.

    Our money has already been turned into a “bits-of-data” play anyway and we’ve easily become more and more accustomed to it, but since Crypto removes this middleman, it seems hackers can now fill that void with outright thievery as if they place themselves at the bank doors when the Brinks truck rolls in.

    This Crypto cookie needs a lot more baking before I take a bite.

    1
    October 14, 2021
  9. Jonny T said:
    If Vestager gives us all a headache with sideloading, future iPhones sold in EU might offer setup choice for the ‘way it was’ button and the ‘way the EU demands it be’. Cue list of faults in latter. Result? 0.001% adopt the EU way.

    1
    October 15, 2021

Leave a Reply