Apple’s TestFlight is a tool created to help developers distribute their beta apps to users before they are released on the App Store to everyone. However, scammers have been using the platform to distribute malicious apps without Apple’s knowledge.

As reported by security firm Sophos (via ArsTechnica), an organized crime campaign known as “CryptoRom” has been distributing fake cryptocurrency apps to iOS and Android users. While it’s easier to install apps outside Google Play on Android due to the sideloading process, iOS users can only download and install apps from the App Store in theory.

Unfortunately, the scammers have realized that they can use an official Apple platform (in this case, TestFlight) to create and distribute the same malicious apps to iPhone and iPad users. With TestFlight, developers can invite up to 10,000 testers to install their beta apps, which don’t pass through the App Store review process since the platform is intended for testing pre-release software.

As a result, Apple has no idea that the scammers are distributing a malicious app as a beta app, and any iOS user with TestFlight installed can download the app. The process of installing an app via TestFlight is quite easy, as the developer can even create a public download link instead of inviting each user with their email.

“Some of the victims who contacted us reported that they had been instructed to install what appeared to be BTCBOX, an app for a Japanese cryptocurrency exchange,” Jagadeesh Chandraiah, a malware analyst at security firm Sophos wrote. “We also found fake sites that posed as the cryptocurrency mining firm BitFury peddling fake apps through TestFlight. We continue to look for other CryptoRom apps using the same approach.”

The report also reveals that the scammers also promote malicious web apps (which are websites that can be added to the home screen of an iOS device to run as apps) to bypass the App Store review process.

Since changing how TestFlight works would affect developers, Apple emphasizes that users can avoid scams by not downloading and installing any software from unknown sources, even if it’s distributed through TestFlight. The company has a web page with tips on how to avoid phishing and other scams.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Filipe Espósito

Filipe Espósito is a Brazilian tech Journalist who started covering Apple news on iHelp BR with some exclusive scoops — including the reveal of the new Apple Watch Series 5 models in titanium and ceramic. He joined 9to5Mac to share even more tech news around the world.