Before some iOS apps are made available on the App Store, they often go through public beta testing. Therefore, you would need a unique app, called TestFlight, to access the early versions of an application. Tap or click here to see how Apple made it easy to report App Store scams.
Generally, there are two versions of TestFlight available. If developers want to share their early access app with a small group of people, they can email invitations to 100 users. More extensive public tests allow for up to 10,000 participants.
But the simple security measures in the TestFlight program have led to cybercriminals exploiting it with malware. Read on for ways to spot the infected applications and what you can do about them.
Here’s the backstory
Before an app is released for mass consumption, it must go through several checks. First, the application needs to be cleared by Apple’s security team and then submitted to the App Store. This ensures that the app doesn’t hide malware or nefarious operations.
But by installing the TestFlight app, any iOS user can download and install applications that haven’t gone through the pre-release checks. So it’s an effective way to get many people to beta test your app. And for some, install malware.
A report by Sophos details how criminals are now exploiting this functionality to bypass App Store security checks. By sending out as many as 10,000 email invitations, many were instructed to download BTCBOX, an app for a Japanese cryptocurrency exchange.
After installation, the app tricks you into thinking it is a legitimate cryptocurrency investment platform. But once you make a deposit, the money will go straight to the criminals. When you want to cash out, the scammers claim you must pay a 20% tax.
What you can do about it
Sophos calls these CryptoRom scams, and there is another trick up their sleeves. To further prevent discovery from Apple’s security systems, scammers abuse the iOS WebClips feature. Instead of sending an app, you’ll receive a malicious web page URL.
Through the WebClips functionality, the webpage presents itself as an app displayed on the iPhone’s home screen. It could look like a legitimate app if you don’t pay close attention to it. Here are some tips on how to stay safe:
- Never download an app if you aren’t sure where it comes from or what it is supposed to do. Always read reviews on an app and its developer before downloading.
- Make sure that you are on a legitimate website for cryptocurrency investments. Check that the URL is correct and that there aren’t any typos, misspellings or suspicious elements. Tap or click here for five tips for buying crypto the safe way.
- Never download applications from third-party app stores. Stick with apps from the official Apple App Store or the Google Play Store.