Yet another group of ingenious hackers has recently been discovered by cybersecurity firm Sophos, executing quite an elaborate scam on an international level. The scammers have been siphoning hundreds of thousands of dollars from unsuspecting victims via the most unlikely of means: dating apps. By the time they were discovered, they'd already pilfered $1.4 million—all in the form of Bitcoins.
CryptoRom's victims were all iPhone owners
Although Apple has always touted its prioritization of top-notch security within its ecosystem, we all know that complete immunity is not only impossible, but often not the case, even with iPhones.
The hackers got into victims' iPhones via the Enterprise Signature system meant for developers
The victims from whom CryptoRom stole $1.4 million were all iPhone owners, and the hackers took advantage of the Enterprise Signature system particular to iPhones. Essentially, this system gives developers the ability to perform testing on new iPhone apps before submitting them to Apple for approval.
First, the attackers created fake Bitcoin trading apps. Then, they made fake online dating profiles
What makes the scam so elaborate is that it is highly intricate not only on a software level, but also on a social level. First, the CryptoRom perpetrators created fake Bitcoin trading apps, all of which funneled any money that went through through them into a single Bitcoin wallet, likely owned by the mastermind behind it all.
Then, the scammers made a number of fake online profiles on dating apps such as Tinder and Bumble. Once they connected with someone, they committed to the fake relationship until they could convince their victims that they were making a lot of money off of the shady Bitcoin trading apps.
The facade was maintained until finally, they got the person on the other end to also invest a certain amount into said app. Of course, once that was done, the money went straight into the scammers' Bitcoin wallet. However, that's not where the damage stopped.
The victims lost their money, and their iPhones (essentially)
While the scam first began spreading in Asia, it was quite successful and eventually made its way to international victims in the United States and Europe. And all of its profits were made off the backs of unsuspecting dating app users, leveraging the rising hype around cryptocurrency to essentially catfish their victims into unwittingly giving up both their money and privacy.
Did Apple allow these scam cryptocurrency apps into the App Store?
Because Apple continues to fight against the idea of allowing the downloading of apps from anywhere but the official App Store, there seems little merit to believe anything else but that these fake Bitcoin trading apps had, in fact, been approved by Apple to be published in the App Store.
Currently, unlike Android, app sideloading is still an impossibility on iOS (although legal battles may be putting an end to that soon), which puts Apple in serious hot water for allowing such a horrible scheme to take place, and for letting it go unnoticed for such a long period of time.
Although Apple has certainly always focused on privacy much more than competing companies, it seems that the illusion of perfect protection within Apple's ecosystem is slowly beginning to crumble, as incidents like this keep happening.
Neither the pernicious apps nor the scammers have been named by Sophos, and we must assume that the applications have since been removed from the App Store. No part of this issue has been addressed by the company as of yet.