As much as Apple defends its 'iOS is a secure and private ecosystem' mark, phishy and scam apps have always found a way to the Apple App Store. Even though Apple has tightened the App Store by letting users report fruad apps, the company has never been able to totally control the situation. And now, it seems that scammers have found another way to push these deceptive apps to the users.

According to a report from security firm Sophos (via ArsTechnica), an organized crime campaign, which goes by the name of "CryptoRom", has found a way to distribute fake cryptocurrency apps to iPhone users through TestFlight.

For those unaware, TestFlight is a tool created by Apple to help developers test their apps. The tool allows iOS developers to invite up to 10,000 users to install their app. An app on TestFlight is not required to pass the App Store review process. Moreover, the app is not required to be published on the App Store at all. Users can directly install the app by using the TestFlight app.

Since the app doesn't go through the review process, Apple is not aware of the happenings of the app. The company cannot know if the app is malicious or not. The scammers are now using this exploit to distribute scam apps to users.

“Some of the victims who contacted us reported that they had been instructed to install what appeared to be BTCBOX, an app for a Japanese cryptocurrency exchange,” Jagadeesh Chandraiah, a malware analyst at security firm Sophos wrote. “We also found fake sites that posed as the cryptocurrency mining firm BitFury peddling fake apps through TestFlight. We continue to look for other CryptoRom apps using the same approach.”

In addition to using TestFlight, scammers are also using web apps to promote their malicious cryptocurrency apps. Web apps can be directly installed on an iPhone using Safari's "Add to home screen" option. Apple says that people should not install apps from unknown sources, even if it’s distributed through its own TestFlight tool.