Bloke robbed of $800,000 in cryptocurrency by fake wallet app wants payback from Google
I got played via the Play store
Last October, California resident Jacob Pearlman downloaded an Android version of a cryptocurrency wallet app called Phantom from the Google Play app store.
That was four months before San Francisco-based Phantom Technologies actually released an Android version of its digital wallet. The free Phantom Wallet app that Pearlman downloaded early from Google Play was a fake. And when he connected his actual Phantom wallet to the app, it cost him a small fortune.
"Less than 24 hours after downloading the fake 'Phantom Wallet' app from Google Play, Pearlman’s real Phantom wallet was drained of more than $800,000 worth of virtual currencies, including SAMO, USDC, ORCA, and SOL, as well as four additional NFTs," his attorneys recount in a lawsuit that seeks to recover the stolen funds from Google rather than from the bogus app's operator.
The complaint [PDF], filed in a Santa Clara County Superior Court, seeks to hold Google accountable for breaching its own warranty about its safety practices and its Terms of Service.
However, the court filing also states that Phantom on October 11, 2021 issued a public warning that Google's store was offering shoddy goods. Back then, the real Phantom offered its crypto wallet as a browser extension for Chrome, Brave, Firefox, and Edge. Today, it provides iOS and Android versions as well as the browser add-ons.
"Phantom is NOT available on iOS or Android," the biz tweeted last year. "Using a fake Phantom mobile app will result in your funds being stolen. Please help us by reporting these apps when you see them in the app stores."
Users responded to that warning lamenting they had been scammed and the following day Phantom said, "We've had eight different apps removed this week alone. We can only remove them as quickly as Google responds to our takedown requests."
Nonetheless, Google appears to have been unable to keep cryptocurrency-stealing fake apps out of Google Play.
- Google's plan to win the cloud war hinges on its security aspirations
- Court OKs billion-dollar Play Store gouging suit against Google
- Google to pay $90m to settle lawsuit over anti-competitive behavior on the Play Store
- Amazon sues 10,000 Facebook Group admins for offering fake reviews
"Despite Phantom’s efforts to keep fake Android apps off the Google Play store, and notwithstanding Google’s obvious notice that it was offering fraudulent 'Phantom Wallet' apps for download, days later, on October 21, 2021, Pearlman was able to, and did, download one," Pearlman’s complaint stated.
The court filing argues that by offering apps through Google Play, the Chocolate Factory represents that those apps are safe and warrants through its Terms of Service it oversees its services with reasonable care.
Google, the complaint says, "breached its own warranty and Terms of Service by offering a fraudulent app, failing to warn Pearlman that the app may be unsafe, and failing to block Pearlman’s download of the app."
Asked to comment, Google did not immediately respond.
Google has asked for more time to respond, and the judge determined that the case was complex, necessitating more time. A case management conference is scheduled for next week.
If Pearlman is able to recover $800,000 from Google, the lawsuit looks likely to be a better investment than the stolen mix of cryptocoins, thus far. Since October 21, 2021: SOL is down about 80 percent from $196.43; ORCA is down about 92 percent from $12.42; SAMO is down about 55 percent from its $0.029 price; and USDC, pegged to the dollar, remains more or less the same.
If Phantom sounds familiar, it's because it was caught up in an attack on Slope wallets this week during which millions of dollars in cryptocurrencies were stolen from roughly 8,000 wallets. ®
- Advanced persistent threat
- App stores
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Remote Access Trojan
- RSA Conference
- Tavis Ormandy
- Trusted Platform Module
- Zero trust