Apple’s App Store is in the spotlight as the company works through its Senate antitrust hearing and lawsuit with Epic Games, claiming to be effectively policing its territory. It has boasted of stopping some $1.5 billion in attempted app fraud in 2020, along with the removal of over one million malicious apps. However, the case has highlighted the fact that complaints of app-based scams are still quite common in spite of all of this activity, and independent security researchers are identifying approved and active App Store apps that are fleecing Apple device users out of millions of dollars.
Big ticket app fraud persists in spite of Apple’s sophisticated countermeasures
As part of a PR effort that coincides with the company’s court battle with Epic Games over its App Store practices, Apple has issued a press release boasting of its proactive policing of malicious apps. The company claims to have put a stop to $1.5 billion in app fraud in 2020, basing those numbers on identifying and removing one million fraudulent accounts and some three million unauthorized credit card numbers. Among the roughly one million malicious apps removed were 215,000 that committed privacy violations, 150,000 engaging in spam or misleading users, and 48,000 that contained hidden or undocumented features.
A recent trend that Apple identifies is the “bait and switch” app, or an app that gets initial approval by having some innocuous function and then switches to something illegal once it is available for download on the App Store. These include apps that offer pornographic content, predatory loans and real money gambling. These apps are often propped up by fraudulent ratings and reviews; Apple claims to have reviewed one billion ratings and has removed 250 million reviews in total, using a combination of automated tools and human review.
At a glance, it would appear that Apple has its app fraud detection and content moderation well in hand. And the disclosure represents a new level of transparency in these processes from Apple, which has been criticized in the past for not being specific enough about what developer program guidelines publishers are breaching in its rejection notices. But Epic, along with independent security researchers and privacy advocates, contends that the App Store processes are still not nearly good enough to keep malicious apps out of the “walled garden.”
The biggest example of a “bait and switch” app flourishing to date is Adware Doctor, one of the most popular paid apps in the App Store until it was pulled two years ago. Under the ruse of protecting the user’s device from malicious software, Adware Doctor was secretly funneling user data (such as browser history and lists of running processes) back to a server in China. Critics contend that it is still quite common to encounter these sorts of deceptive and malicious apps within Apple’s supposedly secure ecosystem.
Security researcher Kosta Eleftheriou has made something of a career for himself out of discovering this type of app fraud. His current focus is on abusive and malicious apps that sucker users in with some sort of fake element, such as positive reviews or “free trials” that are extremely difficult to cancel. These sorts of scams are able to flourish due to a collection of several holes in Apple’s quality control process: poor policing of reviews, repeat offenders able to operate openly without being removed from the store, and long wait times (sometimes months) to hear back when complaints are filed against malicious apps. Data collected by Eleftheriou indicates that this type of app fraud is primarily directed at less sophisticated users who put too much stock in the gaudy review score average that the App Store prominently displays, which is easy to artificially inflate; half of the users that are taken by these scams do not figure out how to cancel the recurring billing until at least two months have passed.
Malicious apps threaten to undermine Apple’s case
One of the central points of contention in the Apple v. Epic antitrust case is the mandatory 30% fee Apple requires of app developers, and one of Apple’s central justifications for it is the thoroughness and quality of its app fraud review process. That argument stands to be undermined if malicious apps and abusive activity are flourishing on the platform.
Another issue that was raised in the case is that Apple may be suppressing some of the evidence of app fraud. As reported by Ars Technica, an internal company email entered into the court record revealed that Apple had found 2,500 malicious apps in 2015 that had infected some 128 million users. Apple VPs and PR team members debated sending a notification to these users in the chain email before eventually deciding not to. The incident was only disclosed in a Chinese-language blog post that has since been removed from the company website.
iPhone users might reasonably expect that some small-time fraudulent apps will slip through the cracks from time to time, and some level of user caution is always required even on a supposedly secure platform. But some of the scams that Eleftheriou has uncovered have been operating for a long time, are prominently advertised and are raking in big money. StringVPN, an app that blatantly violates platform rules and charges $10 per week, has been available for months raking in an estimated $1 million per month. A fake cryptocurrency wallet app called Trezor has stolen over $1 million, including $600,000 in Bitcoin from one particular user. And an app that charges $10 a week to supply users with wallpaper that is freely available from websites continues to be available (and make an estimated $10,000 per month) despite being identified and brought to Apple’s attention in 2019.