Bad Apple: App Store Rife with Fraud, Fleeceware

Malicious apps make up 2 percent of top grossing apps in Apple App Store.

A new analysis from the Washington Post reveals just how widespread fraud is across the Apple App Store, while also offering glimpse into the revenue flowing into Cupertino generated by those malicious activities.

The Apple App Store has been under heightened scrutiny for maintaining its iron grip on the apps available to iOS users. CEO Tim Cook says the company’s monopoly on app access is necessary to maintain certain standards for safety and effectiveness.

But the data from The Post suggests otherwise, showing that out of all of the the top-1,000 grossing apps, almost 2 percent are scams. Notably, these apps have billed Apple customers $48 million while they’ve been available in the store, and Apple gets a 30 percent cut of every transaction. Once alerted to 18 fraud apps in the Store found by The Post, two-thirds were taken down, according to the report.

Threatpost has not yet received a response from Apple regarding the report.

The Post gathered up the top-1,000 grossing apps for the day reported by Apple in order to conduct the analysis, drawing a dramatic contrast between the company’s public statements and its own data. It found an array of scam apps covering everything from fake VPN service to fraud dating apps and more. Fleecewear apps (which charge exorbitant subscription fees after a free trial period) and fake reviews to drive up the ratings of fraudulent apps were also prevalent, according to the report.

“We hold developers to high standards to keep the App Store a safe and trusted place for customers to download software, and we will always take action against apps that pose a harm to users,” Fred Sainz, a spokesperson for Apple, said in a media statement. “Apple leads the industry with practices that put the safety of our customers first, and we’ll continue learning, evolving our practices and investing the necessary resources to make sure customers are presented with the very best experience.”

But economist Stan Miles argued in The Post that customers are being given a false sense that they are in a secure environment, when, in fact, they aren’t. Miles added the lack of competition is the reason Apple isn’t being forced to take security as seriously as it needs to.

Interestingly, even though Google doesn’t rely on a security argument to control app access — although it screen apps before they are published — The Post’s analysis found 134 fleecewear apps on the App Sore and just 70 on the Play Store, earning $365 million and $38.5, respectively, lending credence to the idea that a false sense of security really is worse than nothing at all.

Epic Apple Emails

Annoyed by having to give up 30 percent of their revenue to the App Store, Epic Games, the publisher of blockbuster game Fortnite, recently hauled Apple to California court arguing that its store is a monopoly the courts should break up. Besides getting Apple’s top leadership on the record about their business, the trial also unearthed a trove of emails showing internal company struggles, dating back years, over a lack of App Store security.

For instance, Eric Friedman, head of Apple’s Fraud Engineering Algorithms and Risk unit (FEAR) wrote in a 2016 email that Apple’s screening process for apps is, “more like the pretty lady who greets you with a lei at the Hawaiian airport than the drug-sniffing dog,” The Post reported.

Even Apple’s head of software engineering, Craig Federighi, ultimately testified in court last week that the level of malware on the Mac platform is “unacceptable.”

Apple’s App Store PR and Data Differ

On April 21, Apple’s chief compliance officer testified in front of Congress about the number of scam apps in the App Store. “Unfortunately, no one is perfect,” Kyle Andeer said. “But I think what we’ve shown, over and over again, is that we do a better job than others. I think one of the real risks of opening up the iPhone to side loading or third-party app stores is that this problem will only multiply,” drawing a dramatic contrast between the company’s public statements and its own data.

Apple has dealt with a series of security woes lately. The company’s Find My Device function was recently found to be vulnerable to data theft. And in March, Apple rushed out a fix for a memory-corruption bug. The same month, cybercriminals were targeting Apple developers with a trojanized Xcode project to install a backdoor for spying and data exfiltration.

Epic Games also sued Google Play to get around paying the 30 percent fees to the platforms. The Apple case is with the judge and both parties are awaiting a ruling.

“Unfortunately, just by association, malevolent application developers on the AppStore have extended Apple’s circle of trust to apply to their apps quite easily,” Setu Kulkarni with WhiteHat Security told Threatpost. “Consequently, when an app is on the AppStore, the silent majority of everyday users just click and install without ever worrying about the provenance of the application. And why not? They’ve chosen to pay the high price of entry into the Apple ecosystem which touts privacy and security as some of its key benefits and differentiators.”

Considering Apple’s size, reputation and resources the company certainly could be doing more to protect its customers from malicious apps, he added.

“While security professionals will continue to raise and spread awareness around digital safety, it is really Apple who has the proverbial megaphone to raise awareness amongst its customer base and also to ultimately ensure that the App Store does not become a vehicle for perpetrating fraud and scams,” Kulkarni said.

Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.



Suggested articles