Apple’s tightly controlled App Store is teeming with scams

0
199

By Reed Albergotti, Chris Alcantara

Apple chief executive Tim Cook has long argued it needs to control app distribution on iPhones, otherwise the App Store would turn into “a flea market.”

But among the 1.8 million apps on the App Store, scams are hiding in plain sight. Customers for several VPN apps, which allegedly protect users’ data, complained in Apple App Store reviews that the apps told users their devices have been infected by a virus to dupe them into downloading and paying for software they don’t need. A QR code reader app that remains on the store tricks customers into paying $4.99 a week for a service that is now included in the camera app of the iPhone. Some apps fraudulently present themselves as being from major brands such as Amazon and Samsung.

Of the highest 1,000 grossing apps on the App Store, nearly two percent are scams, according to an analysis by The Washington Post. And those apps have bilked consumers out of an estimated $48 million during the time they’ve been on the App Store, according to market research firm Appfigures. The scale of the problem has never before been reported. What’s more, Apple profits from these apps because it takes a cut of up to a 30 percent of all revenue generated through the App Store. Even more common, according to The Post’s analysis, are “fleeceware” apps that use inauthentic customer reviews to move up in the App Store rankings and give apps a sense of legitimacy to convince customers to pay higher prices for a service usually offered elsewhere with higher legitimate customer reviews.

Two-thirds of the 18 apps The Post flagged to Apple were removed from the App Store.

The most valuable company in U.S. history, Apple is facing unprecedented scrutiny for how it wields its power and is fighting to hold onto it, including in a blockbuster trial that concluded last month. Regulators and competitors have zeroed in on the App Store in particular: Unlike app stores on other mobile operating systems, Apple’s store faces no competition and is the only way for iPhone owners to download software to their phones without bypassing Apple’s restrictions. Through it, Apple keeps a tight grip on software distribution and payments on its mobile operating system, called iOS.

Apple has long maintained that its exclusive control of the App Store is essential to protecting customers, and it only lets the best apps on its system. But Apple’s monopoly over how consumers access apps on iPhones can actually create an environment that gives customers a false sense of safety, according to experts. Because Apple doesn’t face any major competition and so many consumers are locked into using the App Store on iPhones, there’s little incentive for Apple to spend money on improving it, experts say.

“If consumers were to have access to alternative app stores or other methods of distributing software, Apple would be a lot more likely to take this problem more seriously,” said Stan Miles, an economics professor at Thompson Rivers University in British Columbia, Canada.

“We hold developers to high standards to keep the App Store a safe and trusted place for customers to download software, and we will always take action against apps that pose a harm to users,” Apple spokesperson Fred Sainz said in a statement to The Post. “Apple leads the industry with practices that put the safety of our customers first, and we’ll continue learning, evolving our practices and investing the necessary resources to make sure customers are presented with the very best experience.”

Simon Willison, a software engineer and a former iOS developer, recently fell for an app that wasn’t what it presented itself as. Willison owns a Samsung television and went to the App Store on his phone to install the accompanying Samsung remote control app called “SmartThings.” An app called “Smart Things” popped up, claiming to be a remote for Samsung televisions. Willison paid $19 for the app. “I thought wow, Samsung has gone downhill. They’re nickel and diming me for my remote control?”

It turns out the app was pretending to be the genuine Samsung product. His mistake, he says, was an “assumption that the App Store review process was good,” he said. “I held Apple in higher regard than I did Samsung.”

Samsung did not respond to a request for comment. TV Cast Limited, the maker of Smart Things, did not respond to a request for comment.

Apple isn’t the only company that struggles with this issue: They’re also on Google’s Play Store, which is available on its Android mobile operating system. But unlike Apple, Google doesn’t claim that its Play Store is curated. Consumers can download apps from different stores on Android phones, creating competition between app stores.

Apple says it is constantly improving its methods for sniffing out scams and usually catches them within a month of hitting the App Store. In a recent news release, Apple said it employed new tools to verify the authenticity of user reviews and last year kicked 470,000 app developer accounts off the App Store. Developers, however, can create new accounts and continue to distribute new apps.

Apple unwittingly may be aiding the most sophisticated scammers by eliminating so many of the less competent ones during its app review process, said Miles, who co-authored a paper called “The Economics of Scams.”

“If people do believe or are not worried about being scammed, then there’s going to be a lot of victimization,” he said. Miles also said Apple could warn consumers that some apps “are probably fraud and so buyer beware and you do your homework before you buy the app and don’t trust our store.”

Apple has argued that it is the only company with the resources and know-how to police the App Store. In the trial that Epic Games, the maker of the popular video game “Fortnite,” brought against Apple last month for alleged abuse of its monopoly power, Apple’s central defense was that competition would loosen protections against unwanted apps that pose security risks to customers. The federal judge in the case said she may issue a verdict by August.

The prevalence of scams on Apple’s App Store played a key role at trial. Apple’s lawyers were so focused on the company’s role in making the App Store safe that Epic’s attorneys accused them of trying to scare the court into a ruling in favor of Apple. In other internal emails unearthed during trial that date as far back as 2013, Apple’s Phil Schiller, who runs the App Store, expressed dismay when fraudulent apps made it past App Store review.

After a rip-off version of the Temple Run video game became the top-rated app, according to Schiller’s email exchange, he sent an irate message to two other Apple executives responsible for the store. “Remember our talking about finding bad apps with low ratings? Remember our talk about becoming the ‘Nordstroms’ of stores in quality of service? How does an obvious rip off of the super popular Temple Run, with no screenshots, garbage marketing text, and almost all 1-star ratings become the #1 free app on the store?” Schiller asked his team. “Is no one reviewing these apps? Is no one minding the store?” Apple declined to make Schiller available to comment. At trial, Schiller defended the safety of the app store on the stand. The app review process is “the best way we could come up with … to make it safe and fair.”

Eric Friedman, head of Apple’s Fraud Engineering Algorithms and Risk unit, or FEAR, said that Apple’s screening process is “more like the pretty lady who greets you with a lei at the Hawaiian airport than the drug sniffing dog,” according to a 2016 internal email uncovered during the Epic Games trial. Apple employs a 500-person App Review team, which sifts through submissions from developers. “App Review is bringing a plastic butter knife to a gun fight,” Friedman wrote in another email. Apple declined to make Friedman available to comment. In deposition testimony, Friedman pointed to investments Apple has made to stop fraud. “A lot has changed in the last five years,” he said.

Though the App Store ratings section is filled with customer complaints referring to apps as scams, there is no way for Apple customers to report this to Apple, other than reaching out to a regular Apple customer service representative. Apple used to have a button, just under the ratings and reviews section in the App Store, that said “report a problem,” which allowed users to report inappropriate apps. Based on discussions among Apple customers on Apple’s own website, the feature was removed some time around 2016. Sainz said customers can still report apps through other channels.

“It’s detrimental to the general ecosystem that these things are happening,” said Jakub Vavra, a researcher at Avast, a cybersecurity company that has analyzed the App Store.

In a sworn deposition in the Epic lawsuit, Phillip Shoemaker, the former head of the App Review team, said employees in his department generally did not have a technical background in computer coding. They needed to know how to use a Mac and an iPhone, he said. “Qualifications were that they could breathe, they could think,” he said. And they typically worked at the Apple “Genius Bar” at the company’s retail stores. It typically took about 13 minutes to review a new app, Shoemaker said in the deposition. Shoemaker declined to comment.

In an April 21 hearing in front of the Senate Judiciary Committee, Apple’s chief compliance officer, Kyle Andeer, defended the App Store against allegations of scams and fake reviews. “Unfortunately, no one is perfect,” Andeer said. “But I think what we’ve shown, over and over again, is that we do a better job than others. I think one of the real risks of opening up the iPhone to side loading or third party app stores is that this problem will only multiply.” Apple declined to make Andeer available for comment.

Each day, Apple publishes a list of the top 1,000 grossing apps for that day. With data provided by market research firm Appfigures, The Post analyzed the top grossing apps on the day Andeer testified.

On the day of the testimony, there were 18 apps that The Post defined as being scams among Apple’s top grossing apps. The Post defined a scam as any app that takes money from customers using misleading tactics, including manipulated ratings and reviews as well as tactics that can trick people into paying for something accidentally or because they believed they had no choice. The Post also looked for keywords in the reviews section of the apps and patterns or complaints from customers who felt misled, tricked or scammed.

Five VPN apps – Prime Shield, Spy Block, Secure & Fast VPN Protector, CyGuard VPN and Upcure – raised red flags because of suspicious ratings and user complaints on the App Store. VPN apps are designed to protect a user’s privacy by routing their Internet traffic through a remote server. But by siphoning all traffic from a phone, they could also obtain passwords and sensitive login information.

In all five cases, Apple customers complained in the review section that they were drawn to the apps by misleading advertisements elsewhere on the internet, known as “scareware,” which scare users into thinking their phone has been infected by a virus.

The Apple “support” link for three of those apps leads to Russian websites that appear nearly identical to one another, suggesting they may be owned by the same entity using multiple Apple developer accounts.

Upcure was removed from the App Store before The Post contacted Apple. After The Post contacted Apple, the company removed the other four apps from the App Store. None of the apps responded to requests for comment.

Apple also took down a separate VPN app that wasn’t among the top 1,000 grossing apps after inquiries from The Post. FirstVPN: WiFi Security Master was programmed to tell users, “Malware detected! 36 viruses were found,” according to security researchers, then prod users for $13 a month to block the viruses. Users could have seen this notice after downloading the app, and it could have been used as scareware to get them to subscribe. The notice did not appear immediately after The Post downloaded the app. Security researcher Patrick Wardle independently found the message about 36 viruses embedded in the app’s code. Traditional anti-virus software for iPhones doesn’t even exist because of the way Apple restricts access to the phone’s software.

FirstVPN’s software also contained images from Pornhub, Netflix and ESPN, according to security researchers who analyzed it. Wardle said the images appeared to advertise the VPN app’s ability to circumvent copyright protections and adult content filters.

Sainz said it may be that not all customers who downloaded FirstVPN received the message about the 36 viruses. He said Apple removed the app and pointed The Post to Apple’s VPN guidelines for developers, which prohibit VPN providers from disclosing data to third parties. He would not say whether Apple notified users of the app about its removal. The developer behind FirstVPN didn’t respond to a request for comment.

Other scam apps were focused on dating or relationships. A dating app called uDates stood out because of suspicious reviews and user complaints on the App Store. The app, which promises you’ll “get close with someone you’re already close to,” requires an upgrade to a premium account for $20 a month to respond to the women who began messaging within seconds of signing up. The app, owned by a Latvian company called Battika SIA, did not respond to a request for comment. It has not been removed from the App Store.

MatureDating, a dating app that had suspicious reviews and inauthentic activity, was removed by Apple after inquiries from The Post. Laura Edison, director of NSI Holdings, MatureDating’s parent company said the inauthentic activity was caused by Apple’s recent privacy changes, which force apps to ask users if they want to be tracked across. Edison said NSI Holdings had used tracking to stop fraudulent users.

Another dating app, CooMeet, also asks for money for users to continue chatting with women. Its apparent owner, Comewel Limited, didn’t respond to a request for comment. CooMeet was removed from the App Store after The Post asked an Apple spokeswoman for comment. On June 3, CooMeet was back on the App Store, but this time under a new developer name, Gartwell Limited, based in Belize City.

Other suspicious apps identified by The Post did not respond to requests for comment.

When it comes to one type of scam, there’s evidence that Apple’s store is no safer than Google’s. Avast analyzed both the Apple and Google app stores in March, looking for fleeceware apps. The company found 134 in the App Store and 70 on the Play Store, with over a billion downloads, about half on Android and half on iOS, and revenue of $365 million on Apple and $38.5 million on Android. Most the victims were in the United States.

“Google Play reviews apps before they are published. This process involves a team who are experts in identifying violations of our developer policies earlier in the app life cycle,” said Google spokesman Scott Westover.

Vavra, the Avast researcher, said apps that charge weekly subscriptions are often suspicious. By charging people weekly, the subscriptions seem lower, and some customers will assume they are monthly, without reading the fine print – and those fees can add up. In one case, Vavra found that a palm reading app called FortuneScope charged as much as $3,432 per year. Russo-Bel-Remstroi, OOO, the developer of FortuneScope, did not respond to a request for comment.

Another strategy: Don’t just look at an app’s overall rating, which may be manipulated. Scroll down and read the reviews, too.

Most of the scam apps are highly rated. But a careful read of reviews may reveal that some are not authentic. A quick internet search shows that there are several services that sell positive reviews on the App Store.

For example, QR Code Reader – QR Scan – which earned $879,000 for a service built into iPhones – has a high rating of 4.6 stars and 16,000 reviews. But some of those have nothing to do with QR code scanning. “I have gone to see Annie Lover’s Nails for years and she has always gone the extra mile to provide exceptional service,” one review wrote. Another says, “I was taking a chance on getting the dog training collar, and I can’t say enough about it and how long it holds a charge. Thanks you!!!”

Air Apps, which owns QR Code Reader – QR Scan, didn’t respond to a request for comment.

This type of manipulation can “create the perception for the public that they are safe downloading an app or buying a product and engaging in content that other people have found valuable,” said Renee DiResta, technical research manager at the Stanford Internet Observatory, who has studied fake reviews on Amazon.

In some cases, the reviews are done with bots. Higher quality reviews use real people.

Saoud Khalifah, founder and chief executive of FakeSpot, which helps consumers detect fake reviews on websites like Amazon, said the company has found that on average about 25 to 30 percent of reviews on the App Store are fake. In 2019, Apple began filtering out the “low hanging fruit,” Khalifah said. But the company still misses the more sophisticated methods of fake reviews, which involve getting real people to post them.

Sainz said Apple rejects about a third of all submitted ratings and reviews. He said the idea of what makes a review fake is subjective and that some reviews FakeSpot might consider inauthentic may be done by real people.

There are sneakier ways to get good reviews. One method was employed by an app called “Streamer for Fire Stick TV,” which was rated 4.4 stars and had 8,500 ratings. The app, which charged users $3 a month or a one-time fee of $10 for a lifetime premium subscription, appears to be offered by Amazon but is not.

Its high ranking, though, appears to come from a coding trick that exploits a bug in Apple’s ratings system. The code in the Fire TV app forces users to rate the app, blocking the user’s ability to click on anything but four or five stars. The coding trick and bug was discovered using software created by Corellium, a company that makes security research tools. The developer of the app didn’t respond to a request for comment.

“We have processes in place to identify and investigate bad actors that use our brand to attempt to deceive the public, and we take action to protect customers and hold bad actors accountable to the fullest extent of the law,” Amazon spokesman Craig Andrews said in an emailed statement. (Amazon chief executive Jeff Bezos owns The Washington Post.)

The app was first noticed by Kosta Eleftheriou, an app developer who has been a vocal critic of Apple for what he says are lax standards for apps. Eleftheriou, who makes typing apps that can be used by blind people, says he was frustrated when one of his apps was being hurt by what he calls scam apps that used fake reviews to move up in the rankings. In March, Eleftheriou sued Apple, claiming the company abused its market power to hurt small developers.

Eleftheriou says he has heard from dozens of other app developers who are afraid of exposing scams themselves for fear of upsetting Apple. He tweets about the scams, often prompting Apple to delete them. Apple removed the Fire Stick TV scam a day after Eleftheriou tweeted about it.

LEAVE A REPLY

Please enter your comment!
Please enter your name here