A client just reported to me about how they were using Safari on their iPhone. They must have accidentally come upon a junky webpage while reading the news, because they got a message saying their iPhone was infected with viruses. They must have clicked on something that took them to the iOS App Store where they were directed to download a real app called Altfast. This is what the App Store page looks like for that page.

The description for the App had images calling it “Super Helpful App” and claimed that the app was a super helpful voice recorder. There were 80+ reviews of the app. The top three reviews claimed that it is a magical voice recorder  and the developer responded about how they are so happy the product causes so many happy positive emotions. 

It’s only after you launch the app that you see it’s nefarious side. When my client launched it, she was greeted with this:

This was a very sophisticated scam. The people behind it were able to make an iOS app that was innocuous enough to pass Apple’s App Store review policies. Perhaps it even looks like a real app when you launch it normally. But all my client saw was the fake message about the viruses. Thankfully, their instincts kicked in and they didn’t believe what they were seeing. Had they clicked on the Remove viruses button, I believe one of a couple things would have happened. Either the app would have initiated a phone call to a fake virus scam call center, or it might have tried to download a profile to the phone.

The iOS operating system is super restrictive, so it actually does a very good job of limiting the damage that could have been achieved by the scammers. The most effective techniques for the scammers would be to trick the user into calling a call center where a phone operator could try to take their banking details, or else using a profile to program the phone to subscribe to a calendar with fake virus alerts or route their search traffic through a VPN. Installing a profile is something that requires the user to click an Install button on the screen.

So how did these people get past the App Store review? They probably hid the fake virus screen through some kind of obfuscation (perhaps the screen is just an image downloaded from a malicious website). And then I think the scammers set up accounts to write fake glowing reviews that could be promoted to the top of the reviews by other fake accounts. This is a major problem that Apple really needs to address.

If you take the time to read through all the reviews, you see they are dominated by reviews like this:

It’s a shame that the App Store is so full of this kind of deception. In some of the reviews, the authors of the program that they are innocent victims of hacking attempts. (There actually is a serious problem in the computer industry that some of the most widely used programming tools for both websites and app development can easily pull in Open Source packages that add functionality to an app. There have been cases of bad guys placing malicious code that tries to mine for cryptocurrency into widely used packages that then got automatically placed into millions of websites. Thankfully, it was all caught quickly. But I don’t know enough to write about that side of things.)

But I don’t actually believe the developers because I can see that the Privacy Policy and Terms of Use policies they list on their own App Store page are obfuscated behind Russian URL shortener websites. A legitimate developer would have their Privacy Policy easily discoverable on their website in order to comply with the European Union’s strict GPDR (General Data Protection Regulation) laws.

I tried opening the privacy policy and terms of use links (in a Linux virtual machine, not on my real Mac). I fully expected to see a scam website informing me that I was infected, but instead it was actually a Google Docs link that took me to real privacy policy and terms of use documents. The privacy policy did claim that the company reserves “a right to commit all kinds of actions, which lead to the text modification (update).” This includes changing the paragraphs, modifying or even replacing the document at any time without having to warn users.

The silver lining of this story is that there was ultimately no damage done to this client because they decided to trust their instincts and stop when something seemed alarming. All we had to do was delete the app and then check to make sure they had no suspicious subscriptions or profiles.