What you need to know
- A new report says scammers used Apple's Developer Enterprise Program to steal $1.4 million.
- A scheme involved gaining the trust of victims through dating apps, then getting them to install fraudulent crypto apps.
- Sophos says the move has been used globally in Asia, the EU, and the U.S.
A new report says that scammers were able to dupe unsuspecting victims out of a total of $1.4 million by luring them into downloading fake cryptocurrency apps and investing money, using Apple's Developer Enterprise program for distribution.
A Sophos report published Wednesday notes a previous scam highlighted in May on both iOS and Android, confined at the time to victims in Asia. Now, Sophos says that the scam, which is has dubbed CryptoRom, has actually been used around the world, causing some iPhone users to lose thousands of dollars to crooks.
Many of the stories of scams made the news, one UK victim in April reported losing £63,000 ($87,000) after 'falling in love' with a bitcoin scammer. Other stories state hackers stole massive amounts of money on multiple occasions.
The scam goes like this. Users are contacted by hustlers through fake profiles on sites including Facebook, but also dating apps like Tinder, Grindr, Bumble, and more. The conversation is moved to messaging apps where victims become familiar, luring the victim into a false sense of security. Soon, the topic of cryptocurrency investment comes up in conversation, and the victim is asked by the fraudster to install a crypto trading app to make an investment. The victim installs an app, invests, makes a profit, and is allowed to withdraw the money. Encouraged, they are then pushed to invest more to take advantage of a high-profit opportunity, however, once the larger sum has been deposited they are unable to withdraw it. The attacker then tells the victim to invest more or pay a tax, removing the money if they refuse.
Key to the scam seems to be the abuse of Apple's Enterprise Program, which lets the attackers bypass Apple's App Store review process to distribute fake apps:
According to the report, the bitcoin address associated with the scam has been sent more than $1.39 million dollars to date, and that there are likely several more addresses associated with the hustle. The report says most of the victims are iPhone users who have been duped into downloading a Mobile Device Management profile from a fake website, effectively turning their iPhone into a "managed" device you might find in a business that can be controlled by someone else:
The report says that CryptoRom bypasses all of the App Store's safety screening and that it remains active with new victims every day. It also says that Apple "should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple."
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.
Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9