Apple’s securely controlled App Store is bursting with scams, costed users $48 million

 Apple’s securely controlled App Store is bursting with scams

About 2 percent of Apple’s top grossing apps were scams — and they costed people $48 million

Apple chief executive Tim Cook has long argued that we need to control the distribution of the app on iPhones, otherwise the App Store will become a "flood market."

But among the 1.8 million apps in the App Store, scams are hidden from the public eye. Customers of many VPN applications, allegedly protecting user data, complained in Apple App Store updates that apps had told users that their devices were infected to get them to download and pay for unwanted software. The QR code reader app left in the store tricks customers into paying $ 4.99 a week for a service already included in the iPhone camera app. Some apps are cleverly deceptive that they come from big brands like Amazon and Samsung.

Of the top 1,000 apps in the App Store, about 2 percent are scams, according to an analysis by the Washington Post. And those apps cost consumers about $ 48 million while they were on the App Store, according to market research company Appfigures. The problem rate has never been reported. What’s more, Apple benefits from these apps because it takes a cut of up to 30 percent of all revenue earned through the App Store. The most common, according to an analysis of The Post, are fleceware apps that use authentic customer reviews to upgrade to the App Store and give apps a sense of legitimacy to assure customers to pay for the high-quality service that is often offered elsewhere with a high level of official review. for customers.

Two-thirds of the 18 apps The Post flagged on Apple have been removed from the App Store.

The most important company in U.S. history, Apple is facing an unprecedented scrutiny of how it uses its power and is struggling to hold on to it, including a blockbuster test conducted last month. Controls and competitors have entered the App Store in particular: Unlike app stores in other mobile apps, the Apple store is not competitive and the only way for iPhone owners to download software to their phones without exceeding Apple's limitations. With it, Apple maintains a strong hold on the distribution of software and payments to its mobile operating system, called iOS.

Apple has long maintained that its exclusive control of the App Store is important in protecting customers, and only allows the best apps on its system. But Apple's independence in terms of how consumers access apps on iPhones can actually create an environment that gives consumers a sense of security, according to experts. Because Apple does not face any major competition and many consumers are trapped in using the App Store on iPhones, there is little to encourage Apple to spend money on upgrading it, experts say.

Believe in the Apple App Store. After that a fake app stole his life savings on bitcoin

"If consumers had access to other app stores or other distribution software, Apple would have taken this issue very seriously," said Stan Miles, a professor of economics at Thompson Rivers University in British Columbia, Canada.

"We hold developers at the highest levels to keep the App Store a safe and reliable place for customers to download software, and we will always take action against harmful apps to users," Apple spokesman Fred Sainz said in a statement to The Post. . "Apple is leading the industry in practices that put the safety of our customers first, and we will continue to learn, improve our practices and invest in the necessary resources to ensure that customers are provided with the best possible experience."

Simon Willison, a software developer and former iOS developer, recently came across an app that was not self-identifying. Willison, the owner of Samsung TV, went to the App Store on his phone to install a compatible Samsung control app called SmartThings. An app called "Smart Things" has emerged, which claims to be Samsung's remote control. Willison paid $ 19 per app. “I thought wow, Samsung has come down. They scolded me and cut off my remote? ”

It turns out that the app was pretending to be a real Samsung product. His mistake, he says, "was to assume that the App Store review process was good," he said. "I treat Apple with more respect than I did for Samsung."

Samsung did not respond to a request for comment. TV Cast Limited, the maker of Smart Things, did not respond to a request for comment.

Apple is not the only company with a problem with this issue: They are also in the Google Play Store, available on their Android mobile app. But unlike Apple, Google does not say its Play Store is selected. Buyers can download apps from various stores on Android phones, creating competition between app stores.

The FBI wants to unlock San Bernardino iPhone shooter iPhone Turned to a lesser-known Australian company

Apple says it is constantly improving its scent scenario and is usually caught within a month of hitting the App Store. In a recent news release, Apple said it had used new tools to verify the authenticity of user updates and last year kicked out 470,000 app developer accounts in the App Store. Developers, however, can create new accounts and continue to distribute new applications.

Apple unintentionally may be helping to complicate complex scams by eliminating the vast majority of the uninitiated during a review of its program, says Miles, who authored a paper called "The Economics of Scams."

"If people believe in or are not worried about fraud, then there will be a lot of harassment," he said. Miles also said that Apple may warn consumers that some apps are "probably fraudulent so buyers be careful and do their homework before buying an app and don't trust our store." 

Apple has argued that it is the only company with the resources and ability to polish the App Store. In a lawsuit filed by Epic Games, the maker of the popular video game "Fortnite," brought to Apple last month for allegedly abusing its independence, Apple's central defense that the competition would free up protection from unwanted apps that endanger security for customers. A state judge in the case said he could rule in August.

The spread of scams on Apple's App Store has played a major role in the case. Apple's lawyers were so focused on the company's role in making the App Store safer that Epic's lawyers accused them of trying to intimidate the court with Apple's favor. In a series of internal emails received during the trial that day back in 2013, Apple Phil Schiller, head of the App Store, expressed disappointment as the fraudulent apps overshadowed the App Store reviews.

Apple is calling for a bill aimed at halting China's forced labor

After the version of the video game Temple Run became a well-balanced program, according to Schiller's email exchange, he sent an angry message to other Apple executives in charge of the store. “Do you remember our talk about getting bad apps with low ratings? Do you remember our talk about being 'Nordstroms' for stores in terms of service quality? Does the obvious crash of the famous Temple Run, with the exception of screenshots, trash marketing text, and almost every 1 star rating become the # 1 free app in the store? Schiller asked his team. “No one is reviewing these apps? Doesn't anyone care about the store? Apple declined to comment on Schiller's comments. During the trial, Schiller defended the app store's security at the stand. The app review process is “the best way we can get… to make it safer and more unfair.”

(ads1)

Eric Friedman, head of Apple's Fraud Engineering Algorithms and Risk unit, or FEAR, said Apple's testing process "is like a beautiful lady greeting lei at a Hawaiian airport with a drug-sniffing dog," according to a 2016 internal report i -mail is open during Epic Games testing. Apple uses a 500-person app review team, which filters through submissions from developers. "The app update brings a plastic box knife to the gun battle," Friedman wrote in an email. Apple declined to make Friedman available for comment. In proof of investment, Friedman pointed to an investment made by Apple to stop fraud. “A lot has changed in the last five years,” he said.

Although the App Store rating section is full of customer complaints referring to apps as scams, there is no way for Apple customers to report this to Apple, without access to Apple's regular customer representative. Apple used to have a button, under the rating and review section in the App Store, which says "report a problem," allowing users to report inappropriate apps. Based on discussions between Apple customers on Apple's own website, this feature was removed for some time in 2016. Sainz said customers can now report apps through other channels.

"It hurts the environment in general that these things happen," said Jakub Vavra, a researcher at Avast, a security company that analyzed the App Store.

In an affidavit from the Epic court, Phillip Shoemaker, former head of the App Review team, said staff in his department often lacked technical knowledge in computer programming. They needed to know how to use the Mac and the iPhone, he said. "Qualities were able to breathe, they could think," he said. And they used to work at Apple's "Genius Bar" in the company's retail stores. It usually takes about 13 minutes to update a new app, Shoemaker said in the installation. Shoemaker declined to comment.

With AirTags, Apple is launching a new product - and inviting antitrust testing

At the April 21 hearing before the Senate Judicial Committee, Apple chief executive Kyle Andeer defended the App Store on allegations of fraud and false reviews. "Unfortunately, no one is perfect," Andeer said. “But I think we have shown it over and over again, that we are doing a better job than others. I think one of the real dangers of unlocking an iPhone from side loading or third-party app stores is that this problem will only increase. Apple declined to comment for Andeer.

Each day, Apple publishes a list of the top 1,000 apps that day. With information provided by market research firm Appfigures, The Post analyzed the top apps on Andeer's day.

On the day of the testimony, there were 18 apps The Post described as fraudulent among Apple's top apps. Post described the scam as any app that takes money from customers using deceptive tactics, including the rates used and reviews and strategies that can trick people into paying for something by mistake or because they believe they have no way. The post also sought keywords in the app review section and patterns or complaints from customers who felt confused, cheated or cheated.

Five VPN programs - Prime Shield, Spy Block, Secure & Fast VPN Protector, CyGuard VPN and Upcure - have raised red flags due to suspicious ratings and user complaints in the App Store. VPN applications are designed to protect user privacy by moving Internet traffic to a remote server. However, by removing all traffic rates from the phone, they may also obtain passwords and sensitive login details.

In all five cases, Apple customers complained in the review section that they had been lured by applications through fraudulent advertising elsewhere on the Internet, known as "scareware," which threatened users to think their phone was infected.

A link to Apple's "support" for three of those apps leads to Russian websites that look almost identical to each other, suggesting that they may be owned by the same business using multiple Apple developer accounts.

Upcure was removed from the App Store before The Post contacted Apple. After The Post contacted Apple, the company removed four other apps from the App Store. No applications have responded to comment requests.

Apple also downloaded a separate VPN app that was not among the top 1,000 apps after inquiries from The Post. FirstVPN: WiFi Security Master was set up to tell users, “Malware detected! Thirty-six viruses were detected, ”according to security investigators, who at the time spent $ 13 a month on antivirus. Users could see this notification after downloading the app, and it could be used as scareware to get them to sign up. The notification was not seen immediately after The Post downloaded the app. Security researcher Patrick Wardle independently received a message about 36 viruses encoded in the app code. Traditional anti-virus software for iPhones does not exist at all because of Apple's restrictions on access to mobile software.

The FirstVPN software also contained images from Pornhub, Netflix and ESPN, according to security analysts who analyzed it. Wardle said the images appear to advertise the VPN app's ability to avoid copyright protection and filters for adult content.

You have brought various skin tones to your iPhone. He is now suing Apple.

Sainz said it is possible that not all customers who download FirstVPN receive a message about 36 viruses. He said Apple removed the app and pointed out The Post in Apple's VPN developers' guidelines for developers, which prevent VPN providers from disclosing information to third parties. He would not say whether Apple notified app users of its removal. The FirstVPN developer did not respond to a request for comment.

Some scam apps were focused on dating or relationships. A dating app called Dates is outstanding for suspicious updates and user complaints in the App Store. The app, which promises to "get close to someone you're already close to," needs to upgrade to a premium account for $ 20 a month in response to women starting texting in just seconds of registration. The app, which is owned by a Latvian company called Battika SIA, did not respond to a request for comment. It has not been removed from the App Store.

MatureDating, a dating app with suspicious reviews and authenticity, has been removed by Apple following questions from The Post. Laura Edison, director of NSI Holdings, MatureDating's parent company, said the inuthentic activity was caused by Apple's latest privacy changes, forcing apps to ask users if they want to be tracked across. Edison said NSI Holdings used tracking to stop fraudulent users.

Another dating app, CooMeet, also asks for money from users to continue chatting with women. Its apparent owner, Comewel Limited, did not respond to a request for comment. CooMeet was removed from the App Store after The Post asked an Apple spokesman to comment. On June 3, CooMeet returned to the App Store, but this time under the name of a new engineer, Gartwell Limited, based in Belize City.

Some suspicious applications identified by The Post did not respond to comment requests.

Apple goes to court with 'Fortnite,' and could permanently change how apps work

Speaking of one type of scam, there is evidence that the Apple store is safer than Google. Avast analyzed both Apple and Google app stores in March, looking for fleceware apps. The company found 134 in the App Store and 70 in the Google Play Store, with more than a million downloads, about half on Android and half on iOS, and $ 365 million in revenue on Apple and $ 38.5 million on Android. Most of the victims were in America.

“Google Play is reviewing applications before they are published. This process involves a team of experts in identifying violations of our developer policies at the beginning of the application life cycle, ”said Google spokesman Scott Westover.

Vavra, an Avast researcher, said apps that charge weekly subscriptions are often suspicious. With weekly billing, subscriptions seem low, and some customers will think they are monthly, without having to learn good print - and those fees can add up. For one thing, Vavra found that the palm-learning app called FortuneScope costs about $ 3,432 a year. Russo-Bel-Remstroi, OOO, an engineer at FortuneScope, did not respond to a request for comment.

Alternative: Don't look at the app's limited edition, which can be used. Scroll down and read reviews, too.

Most scam apps are highly rated. But a careful reading of the reviews may prove that some of them are not true. A quick online search shows that there are several services that sell good reviews in the App Store.

For example, QR Code Reader - QR Scan - which earns $ 879,000 for the built-in service for iPhones - has a high 4.6-star rating and 16,000 updates. But some of them have nothing to do with QR code scanning. "I've been going to see Annie Lover's nails for many years and she's always going the extra mile to provide a different job," writes one review. Another says, "I was taking the opportunity to get a dog training collar, and I can't say enough about it and how much it costs. Thank you !!!"

Air Apps, which owns QR Code Reader - QR Scan, did not respond to a request for comment.

This type of deception "can create a public perception that they are safe to download an app or purchase a product and engage in content that other people find important," said Renee DiResta, technology manager at Stanford Internet Observatory, who read non-Amazon reviews.

In some cases, reviews are performed with bots. High quality reviews use real people.

Saoud Khalifah, founder and chief executive officer of FakeSpot, which helps consumers find illegal updates on websites like Amazon, said the company found that on average 25 to 30 percent of updates in the App Store were fake. In 2019, Apple began sorting out “low-cost fruits,” Khalifah said. But the company still misses the most sophisticated methods of false reviews, which include finding real people who submit them.

Sainz said Apple would reject about a third of all ratings submitted and reviews. He said the idea of ​​what makes a review fake is humility and that some updates FakeSpot might think that authenticity cannot be made by real people.

There are sneakier ways to get good reviews. Another method used was an app called “Streamer for Fire Stick TV,” which was rated at 4.4 stars and was estimated at 8.5 million. The app, which charges users $ 3 a month or a one-time $ 10 lifetime premium subscription, seems to be offered by Amazon but not yet.

Its superior position, however, appears to stem from a coding strategy that uses an insect in Apple's rating system. The code in the Fire TV app forces users to rate the app, restricting the user's ability to click on anything other than four or five stars. The coding and bug fixes were detected using software developed by Corellium, a company that makes security research tools. The app developer did not respond to a request for comment.

"We have procedures in place to identify and investigate bad characters who use our brand to try to deceive the public, and we take steps to protect customers and hold bad actors fully accountable," Amazon spokesman Craig Andrews said in a statement in an email. (Amazon CEO Jeff Bezos owns The Washington Post.)

The app was first recognized by Kosta Eleftheriou, an app developer who has been a vocal critic of Apple for what he says are loose standards for apps. Eleftheriou, who makes typing apps that can be used by blind people, says he was frustrated when one of his apps was damaged by what he called scam apps using illegal updates to elevate positions. In March, Eleftheriou sued Apple, alleging that the company abused its market power to harm young engineers.

Eleftheriou says he has heard from many other app developers who are afraid to expose scams themselves for fear of offending Apple. Using tweets about scams, they often cause Apple to shut them down. Apple dropped the Fire Stick TV scam the day after Eleftheriou wrote about it on Twitter.