The Apple App Store is still considered one of the safest places from which to download your mobile apps. Apps are curated, reviewed and any security concerns are almost always immediately addressed by Apple.
However, there’s new emerging scheme that can potentially put your hard-earned cash at risk. And more alarmingly, the scammers are apparently using App Store loopholes to execute their unscrupulous deeds.
According to a security researcher, he recently discovered that a suspicious Apple App Store app is gaming the system’s advertising platform and it could be potentially earning millions by scamming people into subscribing to fake services.
Researcher Johnny Lin wrote in a post on “Medium” that by analyzing the top-grossing apps in the Apple App store, he had uncovered an ongoing scheme that’s exploiting loopholes within the in-app purchasing system and the store’s new “Search Ad” feature.
He became suspicious of one top productivity app in particular. Rubbing shoulders with top legitimate apps from the likes of Dropbox, Evernote, and Microsoft was this poorly designed app called “Mobile protection :Clean & Security VPN.”
Mobile protection :Clean & Security VPN
According to the app’s description, it is a VPN service that’s used for rerouting your traffic through a third-party server.
One red flag is that for an actual VPN service, the app is suspiciously coming solely from an individual and not a company. Another red flag is the app’s grammatically incorrect title and description, filled with senseless or non-existent features.
With all these red flags, how come this app is consistently among the top earning App Store apps in the last two months?
Digging a bit deeper, Lin uncovered how this bogus app can generate up to $80,000 a month, keeping it in on top of the App Store charts. And this scheme is actually starting to be mimicked by other ‘clone’ apps.
Gaming the App Store’s “Search Ad”
First, the scammers found a way to exploit the Apple App Store’s “Search Ad” feature by taking advantage of the lack of filtering and approval process for the ads.
These are the ads that show up on top of every app search in Apple’s App Store with word “Ad” highlighted.
By either manipulating or optimizing search keywords for apps, scammers can produce prominent ads for their bogus products that can take over the entire first page of the app search results. It appears that the scammers are now bidding on keywords and cloning the bogus apps and their tactics.
In Lin’s example, a search for “virus scanner” (virus scanners don’t really work on iPhones) revealed a top hit for an ad for another suspicious app called “Protection for iPhone — Mobile Security VPN” with a $99 in-app subscription option, which brings us to the next tactic.
Expensive in-app subscriptions
Lin notes that these bogus apps all seem to have expensive monthly subscription services.
For example, “Mobile protection :Clean & Security VPN” has a “FREE TRIAL” for an “anti-virus” but agreeing to the trial will actually start a $99 per week subscription. Whoa!
If you don’t read the fine print and are duped into starting this ‘trial” by authorizing the app via Touch ID, then you can be charged $99 a week without even knowing it.
With these figures, it only takes 200 victims to generate $80,000 of pure profit from this bogus service subscription model.
Lin noted that “Mobile protection :Clean & Security VPN” is currently ranked #144 in most downloaded free productivity apps in the App Store with about 50,000 downloads in April. At this rate, the app will only need to trick 0.4 percent of these users into subscribing.
And since these subscriptions are auto-renewing, you can see how these bogus apps can shoot to the top of the top-selling apps.
Coupled with the exploitation of the “Search Ad” feature, this looks to be an effective scheme to keep these bogus apps visibility high and, in turn, reel in more victims, which then keeps the apps on top of the best-selling charts. Rinse and repeat.
How to protect yourself
- Read the fine print. Be wary of apps that are asking for your Touch ID authorization to enable a “free trial.” Also, check for any recurring subscriptions that these apps might be sneaking in via in-app purchases.
- Immediately report apps that are exploiting the in-app purchasing system via Apple’s iTunes Connect Contact Us form.
- Be extra vigilant when downloading apps, even official App Store apps. Check for bad descriptions and false services. Additionally, since even ratings can be falsified, analyze if the reviews are sufficiently detailed and varied.
- Never trust the App Store ads for now. Until Apple finds a way to filter and screen these ads, this is a way for scammers to promote bogus apps.
Click here to read Johnny Lin’s full post on “Medium.”