- A fake Curve Finance app has been listed on Apple’s App Store, prompting a warning from the protocol’s developers. The app impersonates Curve and its creators appear fraudulent.
- Fake cryptocurrency apps have repeatedly made it onto major app stores like Apple’s and stolen users’ funds when downloaded. Examples include fake Trezor and Ledger apps that stole wallet keys.
- The recurring security incidents highlight the need for tighter vetting by app stores to prevent fraudulent crypto apps from duping users. Crypto holders also need to be cautious when downloading related apps.
Apple’s vetting process for apps has repeatedly failed to catch fraudulent crypto apps that steal users’ funds. The latest incident involves a fake app impersonating the decentralized finance protocol Curve Finance.
An Unauthorized Fake Curve Finance App
A fake Curve Finance app has been listed on Apple’s App Store, according to a February 14th warning issued by the protocol’s developers. “There is currently no official DeFi Curve app. Beware of scams,” Curve staff wrote. “A fake with our logo was spotted! Stay safe.”
The unauthorized Curve app lists “MK Technology Co Ltd” as its creator. On its official website, which is hosted on Google Sites, a single protonmail contact address is provided along with a Curve Finance descriptor. There are no other apps created by MK Technology on the App Store.
The fake app, currently rated 4.6 out of 5 stars with nine reviews, promotes itself as “a powerful app for managing your borrowers and their loans.” Users can also allegedly play puzzle games in-app for entertainment.
It is unclear whether the app is simply misusing Curve’s brand without authorization, or if it is designed to steal users’ wallet assets through in-app features.
A History of Fake Crypto Apps on App Stores
Fake cryptocurrency applications have remained a persistent issue over the years. On June 21, 2022, Apple removed a malicious Trezor wallet app from the App Store. Upon opening, the fake app prompted users to enter their wallet seed phrases, allowing hackers to drain all of the users’ crypto.
Similarly, on November 5, 2021, Microsoft removed for the third time in two years a fake Ledger app that stole $588,000 across 38 transactions before its delisting.
