Malware

Apple distributed fake crypto finance apps in App Store, leading to $100K losses

Posted on by

Just a week after the last public App Store blunder, where a fake LastPass app was available in the App Store, Apple is yet again in hot water.

On February 14, a cryptocurrency company called Curve Finance warned users via social media that a fake app using its name had appeared in the App Store.

Just two days later, on February 16, yet another cryptocurrency company, Rabby Wallet, warned its users via social media that a fake app was in the App Store. Shockingly, the fake app had somehow gotten approved—meanwhile, the legitimate developer’s app is “still under review.”

One victim posted on the official Apple Community support forums on February 17, claiming to have been scammed out of U.S. $5,000 after downloading the fake Rabby Wallet app. Another forum user claimed to have lost $20,000. Meanwhile, a cumulative total of more than $100,000 was reported stolen by users of the real Rabby Wallet’s Discord community.

Apple eventually removed both apps

After public attention brought by social media re-posts and some coverage on tech news sites, Apple eventually removed each app from the App Store.

It isn’t clear exactly when the Curve Finance app first made it into the App Store. The fake Rabby Wallet app was likely available starting on February 14, given the date on which the fake app’s Facebook page was created and the first (negative) review was posted.

The fake Curve Finance app somehow had a “4.6 out of 5” star rating, with apparently nine five-stars and a single one-star rating. Meanwhile, the fake Rabby Wallet app wasn’t pre-loaded with fake ratings, so it had a “1.0 out of 5” due to two one-star ratings.

Does a blatant copycat constitute a legitimate app in Apple’s eyes?

While in the case of “LassPass” the developer used a lookalike name and icon, in these more recent cases the infringement was much more blatant.

Both fake finance apps used the real products’ names. This time the fake apps’ developers didn’t even try to hide behind typosquatting or similarly spelled names; they just went directly for stealing the names of the companies and products they were mimicking.

It’s a similar story with the apps’ icons. The fake Curve Finance app used a nearly exact copy of the company logo. Meanwhile, the fake Rabby Wallet app used a silhouette version of the real company logo, with a similar blue background color.

App Store screenshots of the fake apps. “Rabby” image via HackRead

Apple has a major problem over-approving apps in sensitive categories

If Apple were carefully reviewing these apps, the reviewers would have seen some potential red flags. The registered name of the developers did not match the companies’ names (although this is sometimes the case with real companies that use third-party developers). But an obvious red flag was the essentially nonexistent company pages. The listed Developer Website for the fake Curve Finance app was a free Google Sites page, hosted at sites.google.com; this page barely included any text, had no images other than a generic backdrop, and merely listed the developer’s Proton Mail e-mail address as a supposed support method.

The “Developer Website” of the fake Curve Finance app

For the fake Rabby Wallet, the Developer Website was a generic Facebook page with the app’s name, the developer’s Hotmail e-mail address, and literally nothing else; they didn’t even bother adding any images to the page.

The “Developer Website” of the fake Rabby Wallet app

Such red flags should set off alarm bells in reviewers’ heads, prompting further investigation before approving the apps. But apparently, they did not.

Apple’s app review process needs review

Given the highly sensitive information that people put into finance-related apps, Apple has a moral obligation to more carefully review sensitive categories of apps in the App Store.

As we’ve mentioned in the past, Apple has also had an ongoing problem with approving loan apps that aren’t developed by legally licensed lenders. We noted in our 2023 Apple malware roundup that one independent researcher singlehandedly found and reported more than 200 fraudulent loan apps to Apple in 2023 alone. These apps may have plausibly garnered hundreds of thousands of cumulative downloads before Apple finally removed them.

Apple’s recent approval of a fake password manager app, “LassPass,” also exposed Apple’s shoddy reviewing practices for sensitive app categories.

Unless Apple begins to face significant public pressure to improve its practices, it’s unlikely that Apple will change. We urge responsible mainstream and tech journalists to join with us in drawing attention to Apple’s consistently bad behavior.

What should I do if I’ve downloaded a fake app?

If you installed a fake version of Curve Finance or Rabby Wallet by mistake, be sure to uninstall the app from your device. On an iPhone, iPad, or iPod touch, press and hold on an empty area of the Home Screen until the apps start to wiggle, then tap the ⊖ (circled minus symbol) in the top-left corner of the app icon. (Learn more about uninstalling apps on an iPhone or iPad.)

If you installed the app on your Mac, you can drag it from the Applications folder to the Trash, as with other apps from the Mac App Store.

While the recent “LassPass” fake app could be installed on Apple Vision Pro, neither “Curve Finance” nor “Rabby Wallet” were compatible with visionOS, according to their App Store pages.

How can I keep my Mac safe from malware?

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.

One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.

How can I learn more?

We discussed the fake Rabby Wallet app on episode 332 of the Intego Mac Podcast:

Be sure to also check out our 2024 Apple malware forecast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →