Abuse of Apple Search Ads Feature Leading to Fraud

Apple has removed one of its top 10 grossing productivity apps after an independent developer’s story about fraudsters’ abuse of the App Store’s Search Ads functionality went viral.

Apple has removed one of its top 10 grossing productivity apps after an independent developer’s story about fraudsters’ abuse of the App Store’s Search Ads functionality went viral.

Search Ads is a new feature available to iOS developers that allows them to invest in the promotion of their apps. Ads display a small blue icon signifying an advertisement, but otherwise, they’re nearly indistinguishable from search results.

Developer Johnny Lin posted a report on his analysis of the fraud, and said that some developers are clearing $80,000 a month on shady apps that don’t deliver on their promises. That includes a mobile VPN called “Mobile protection “Clean & Security VPN” ranked 10th as of June 7.

“They’re taking advantage of the fact that there’s no filtering or approval process for ads, and that ads look almost indistinguishable from real results, and some ads take up the entire search result’s first page,” Lin wrote. “Later, I dug deeper to find that unfortunately, these aren’t isolated incidents — they’re fairly common in the app store’s top grossing lists. And this isn’t just happening with security related keywords. It seems like scammers are bidding on many other keywords.”

Lin told Threatpost after his story got some attention on social media and in the press, Apple removed the mobile VPN app and others. Several requests for comment from Apple were not returned prior to publication.

“Like many others, I’ve been reporting scam apps for a while now. And of course, Apple is aware of the 1-star reviews that call these apps scams outright. Unfortunately, Apple has been really slow at taking down scam apps through the regular reporting methods, and actually in some cases don’t take them down at all,” Lin said. “But after this article went viral, Apple took down the referenced apps quickly. I think a little public attention is what it took for them to escalate. There are still many cases of scam apps like this outside of the ones I mentioned, though.”

Lin said that in spite of the poor grammar and punctuation associated with the VPN app’s title and description, the app was bringing in $80,000 a month in revenue, according to Sensor Tower, an app analytics platform.

The VPN app serves as a prime example of the fraud arising from abuse of Search Ads. It was written by an independent Thai developer and had been a top 20 grossing productivity app since April. Upon downloading and executing the app, Lin said it requests access, or “cccess” to the user’s contacts; the only option provided is to agree. It then offers the users three scanning options, plus a “Secure Internet” option offers the user the opportunity to play a bubble game.

The next hiccup is an in-app offer for a free antivirus trial that brings up Touch ID for verification that also initiates a seven-day auto-renewing subscription for $99.99 a week.

“Buried on the third line in a paragraph of text in small font, iOS casually tells me that laying my finger on the home button means I agree to start a $100 subscription. And not only that, but it’s $100 PER WEEK? I was one Touch ID away from a $400 A MONTH subscription to reroute all my internet traffic to a scammer?” Lin wrote. “I guess I was lucky I actually read the entire fine print. But what about other people?”

This one app, at $80,000 a month (a mere 200 victims from 50,000 downloads) would generate close to $1 million annually, with Apple taking 30 percent of that income, Lin said.

Lin called the App Store’s Search Ads product “immature” and said that aside from looking too much like search results, that ads sometimes take up an entire page of search results.

“For full-time developers like myself, it’s such a shock and disappointment to see the wrong behavior being rewarded. I have hope that Apple will do the right thing eventually, because they’re a company with long-term thinking,” Lin said. “Maybe this has been on their radar for awhile, but they haven’t been taking it seriously enough.”

Victims are urged to disable subscriptions, demand refunds and report these types of scams to Apple. Lin also suggests a better user interface on Touch ID subscriptions, easier cancellations of subscriptions, and the introduction of fraud and abuse protections into Search Ads.

“The ads I’m referencing show up right in the app store when you do searches,” Lin said. “One of the problems is that most users don’t even know that the top result on their search is a paid ad—they look almost identical to the actual results.”

Suggested articles