SecureMac, Inc.

Checklist 272: All of the Apps You Need Are in the App Store (Except for the Ones That Aren’t)

March 25, 2022

Bad actors abuse TestFlight and WebClips to scam iOS users. Lessons in why you shouldn’t install apps from outside of the App Store.

Checklist 272: All of the Apps You Need Are in the App Store (Except for the Ones That Aren’t)

On this edition of The Checklist:

Abusing TestFlight for fun and profit

Ever wonder how iOS app developers test their apps before they release them in the App Store?

The answer is TestFlight. TestFlight is an Apple app that allows beta testers to run pre-release apps on their iPhones. Apple lets developers invite up to 10,000 users to try out an app, either by email or via public link.

Apple’s site describes the process:

When testers are invited to beta test your app, they’re prompted to install the TestFlight app from the App Store on their iPhone, iPad, iPod touch, Mac, or Apple TV if they don’t already have it installed. The TestFlight app makes installing betas simple, and you don’t need to keep track of UDIDs or provisioning profiles.

Sounds great, right? Well, it is — but like so many other good things in the world of tech, the bad guys have found a way to weaponize it. As Ars Technica reports, scammers are now using TestFlight to distribute malicious apps to iOS users. 

Ars Technica says that Sophos, a security firm in the UK, has been tracking a digital crime campaign called CryptoRom. (The Sophos blog has a detailed overview of CryptoRom that’s worth reading in full.) Lately, the bad actors behind CryptoRom have been abusing TestFlight to trick unsuspecting users into installing fake cryptocurrency apps on their devices. The apps are fraudulent, although they look like well-known, legitimate crypto apps. You can probably guess the endgame here: They’re stealing money from people — in some cases, people’s life savings.

What WebClips are (and what they’re not!)

TestFlight isn’t the only Apple tool that CryptoRom scammers have been abusing. According to Sophos, they’ve also started using WebClips to make people believe they’ve installed a legitimate app on their device — when in fact they’re being directed to malicious websites.

WebClips aren’t apps, although they probably look like apps to most users. They’re basically just shortcuts to websites that live on an iOS Home screen. However, WebClips have the basic shape and appearance of an app icon, which is why they can be used to deceive. 

You can actually make a WebClip yourself, if you want: Tap the Share icon when you’re on any website, and the “Add to Home Screen” option will create a WebClip that links to the URL of the page you’re on.

WebClips can also be served up via URL. According to SecureMac’s Israel Torres, to use this in a malicious way would require a mix of social engineering to get the victim to install the attacker’s tools on their device and then, of course, the actual installation.

A malicious WebClip would, again, look more or less like an actual app (especially to less technical users). But in reality, it would simply link to a fraudulent website designed to harvest personal or financial data.

Lessons in iOS security

The takeaway here — both in terms of TestFlight as well as WebClips — is that the vast majority of iOS users should only install apps from the App Store

Are there exceptions to the rule? Not many. If your sister is an iOS app developer, and she wants you to test out her new app, fine. Or if your workplace’s IT group needs you to install an internal beta on your employer-issued device, then it would be OK. 

But for almost everyone, the best practice is: Never install an app that you didn’t get from the App Store!

Fake apps: a real-world example

If you think that this is the sort of thing that only happens in the rarest of cases, or to vulnerable users in high-risk environments … well, think again.

A friend of The Checklist wrote in to tell us that her mother had fallen victim to a fake app scam. The first sign of trouble was that her mom’s iPhone was constantly prompting her to re-enter her Apple ID password.

Our friend first tried to delete every account from the iPhone, thinking she could just get the device to a “blank slate” and start over again. But then she found an account that she couldn’t delete! It turned out that the mysterious account was actually a malware security profile. A malicious weather app had put it on her mother’s device. The profile had in turn installed a certificate on the iPhone that could allow a bad actor to steal credentials — not good, especially as her mom was using a banking app on that device!

The story has a happy ending: After a factory reset and lots of account password changes, our friend was confident that she’d done everything possible to protect her mother. But for the rest of us, the lesson is clear. This kind of thing can happen — and does happen — to everyday people.

So take a moment this week to let the folks in your life (especially the less tech-savvy ones) know that the only apps they’ll ever need … are in the App Store!

Do you have a cybersecurity or digital privacy question that you’d like to have answered on a future episode of The Checklist? Please drop us a line and ask!

Join our mailing list for the latest security news and deals