A number of fake Bitcoin wallet mobile apps have been added to the iTunes App Store run by Apple, Inc. very recently, according to a representative from Breadwallet LLC who posted on Reddit. The fake wallets use the same, or very similar, names to existing official mobile wallet apps, but presumably open the user to having their accounts compromised and coins stolen.

In the words of breadwallet_dan on Reddit, here’s a list of the offending apps:

Here are the new wallets we’ve noticed so far with their exact naming. Please be cautious:

GreenAddress – Bitcoin Wallet https://itunes.apple.com/us/app/greenaddress-bitcoin-wallet/id1139753685?mt=8

Simple Bitcoin Wallet https://itunes.apple.com/us/app/simple-bitcoin-wallet/id1138700421?mt=8

Simple Bitcoin Wallet ™ https://itunes.apple.com/us/app/simple-bitcoin-wallet/id1140433170?mt=8

GreenBits Bitcoin Wallet https://itunes.apple.com/us/app/greenbits-bitcoin-wallet/id1138675915?mt=8

Bitcoin Wallet https://itunes.apple.com/us/app/bitcoin-wallet/id1137555856?mt=8

Bitcoin Armory Wallet – bitcoin offline wallet https://itunes.apple.com/us/app/bitcoin-armory-wallet-bitcoin/id1139569125?mt=8

Blockchain – Offline Bitcoin Wallet https://itunes.apple.com/us/app/blockchain-offline-bitcoin/id1140411956?mt=8

BitcoinCore – Bitcoin Wallet https://itunes.apple.com/us/app/bitcoincore-bitcoin-wallet/id1140170409?mt=8

Do not download any of these apps, the links above are just for reference. Hopefully as Apple begins to purge these fake apps these links will each stop working.

In the meantime, Bitcoin wallet users should use links provided on the official websites for the wallet they want to use instead of going through iTunes (or Google Play). This way a user can be sure that the wallet app they are looking at is the official one intended to be downloaded and used by the developer of that app.

Screenshot via GreenAddress website

For example, above the fake “GreenAddress” wallet on iTunes has an id number of “id1139753685” but when SiliconANGLE went to GreenAddress’s website it opens up a page for the official GreenAddress iOS app with the id number of “id889740745.” The fake GreenAddress wallet also says that it is from “Green Address” but the official GreenAddress wallet lists “Jersey Studios” as developer.

This is similar for every link discovered by Breadwallet; each one differs from the app linked from the official website. Clearly it would behoove users to use links only from trusted sites (such as the official developer).

Apple’s app review process flawed, failing to stop numerous fake apps

It is apparent that Apple’s review and vetting process of new apps is not up to snuff as this is not the first time that a fake wallet was added. According to Breadwallet, a fake app pretending to be from the company was added to the App Store on July 29th—to sell the fraud, the fake app used the same name and icon as the official Breadwallet app.

Breadwallet took immediate action and had it removed by contacting Apple, however not before a few customers inadvertently downloaded the fake and reported stolen funds.

“For a long time, it seemed as though Apple’s tight controls over its ecosystem were a fairly impenetrable measure against nefarious applications, malware, and junk,” says John Casaretto, founder of BlackCert, SSL security certificate company. “Clearly, that is not the case anymore and in an instant, the Application Development Signing Certificates, the Apple Developer Program, and the application review process are all negated by a handful of malicious apps that have made their way through. It goes to show that assumptions can get people in trouble, especially when a financial target such as Bitcoin is involved. The best practice is to stick to the source and official apps to stay on the safe side.”

This is also not the first time that mobile apps have appeared that could target people with Bitcoin wallets. Since the beginning of its popularity, Pokémon GO had third-party downloadable APKs (Android apps), some of which were infected with malware; as previously reported, these sort of backdoored apps could compromise security on Bitcoin wallets stored on the same mobile device.

This is not just a problem for iTunes, fake apps sneak into Google Play for Android and other marketplaces as well in 2012 numerous fake apps were revealed in Google Play, many of them Trojans masquerading as games or other popular apps. And in 2016, amusingly named “porn clicker” malware infected apps began to spread through the Android ecosystem.

When using mobile Bitcoin wallet apps on a phone better be safe than sorry

As mentioned above, the mobile markets such as the Apple App Store cannot be trusted to deliver the proper name-brand application. Therefore, it is suggested that users go through the official websites of the desired wallet and use their own links to avoid any confusion.

According to a report from security outfit Kaspersky Lab, mobile malware tripled in 2015 over 2014 with 884,774 new malicious programs were detected. The number of mobile banking Trojans, fake apps designed to look like mobile banking apps (similar to fake Bitcoin wallets but for banking instead), decreased to 7,030 from 16, 586 in 2014, but that’s still a noticeable number.

Users should brush up on their mobile security and can start with this resource from MalwareBytes Lab. Numbers 4 (install anti-virus) and 5 (download only from trusted sites, already mentioned) in particular would be necessary to defend against mobile malware. There are a few likely candidates on the market for mobile anti-virus such as from Avira, Avast Antivirus and Lookout (there are Android and iTunes versions of these apps).

Featured image credit: Virus via photopin (license)