O Test flight has been one of Apple’s developer best friends since it was taken over by Apple in 2014 — for those unfamiliar with it, it’s a service that allows you to distribute beta versions of apps up to 25 internal testers (in a company for example) and 10,000 external testers, with the possibility of dividing them into groups, receiving feedback and improving their creations.
However, as recently reported cybersecurity firm Sophos, TestFlight can also be used for much less noble purposes. Researchers have detected a scam campaign, dubbed “CryptoRom”which uses Apple’s testing platform to distribute fake Bitcoin apps, which steal data and even money from users, bypassing the App Store’s security screen.
The scams come with a mixture of social engineering and misuse of the iOS ecosystem: unsuspecting users – usually less tech-savvy people – are told to install TestFlight, then tap the link to download the beta app. The whole process is very simple and “backed up” by iOS, while Apple is not able to verify the content of the tested application.
Another application of the scam occurs with web applications, i.e. sites with interfaces designed to impersonate applications. In this case, scammers ask users to save the icon of the website on their home screen and normally use the “application” (which is actually a web page that is also unverified by Apple).
The campaign appears to focus on counterfeit versions of cryptocurrency apps such as Japanese company BTCBOX and bitcoin mining company BitFury. However, there are also records of scams using fake dating apps and fake social networks. It is estimated that the CryptoRom have already stolen something around $1.4 million of his victims.
Apple hasn’t commented on the matter, but the scams are unlikely to change anything about how TestFlight works – after all, the platform succeeds precisely because of its simplicity and ability to attract customers. testers. So just a reminder: if you don’t know exactly what you are doing (i.e. testing an app), never install apps from TestFlight or give your information to apps obtained outside of the App Store. Although they will not protect you 100%, these measures will be sufficient to avoid most of the scams that are practiced there.