Apple TestFlight Can Spread Malicious Apps on iOS

Apple, as you might know, distributes pre-production apps and games for beta testing by directly inviting users via links for people to test via the TestFlight app. TestFlight can be used by developers to invite up to 10,000 users to beta test an app or a game. Now, a recent report from security firm Sophos suggests scammers are using the same app to distribute their malicious apps to iPhone and iPad users, and it is through Apple’s beta testing platform TestFlight.
With this, cybercriminals are stealing money from users without even their knowledge. This is because these fake malicious apps are very well able to disguise as real ones and thus, people trust them while transacting.
As the apps and games that are distributed through TestFlight do not go through Apple’s App Store review process, an organized crime campaign dubbed “CryptoRom” took advantage of this loophole and is distributing fake and malicious cryptocurrency apps to iOS and iPadOS users.
“Some of the victims who contacted us reported that they had been instructed to install what appeared to be BTCBOX, an app for a Japanese cryptocurrency exchange,” reads the in-depth report by one of Sophos’ malware analysts, Jagadeesh Chandraiah. Furthermore, the CryptoRom scammers are also distributing malicious applications disguised as legit web apps or WebClips that users can pin to their home screens on their iPhones and iPads. And as these are not being distributed through Apple’s trusted App Store, they bypass the App Store review process, much like the TestFlight apps and games. CryptoRom also affects Android users.
Apple has not yet addressed this issue officially, though it warns users to avoid downloading untrusted apps from unknown sources. The company also has a dedicated support page for users to learn more about phishing attacks and other scams that you can check out right here. So, if you beta test applications and games through TestFlight on your iPhone or iPad, we’d suggest you stay away from any kind of sketchy crypto or any other app to avoid privacy risks.