A client just reported to me about how they were using Safari on their iPhone. They must have accidentally come upon a junky webpage while reading the news, because they got a message saying their iPhone was infected with viruses. They must have clicked on something that took them to the iOS App Store where they were directed to download a real app called Altfast. This is what the App Store page looks like for that page.

The description for the App had images calling it “Super Helpful App” and claimed that the app was a super helpful voice recorder. There were 80+ reviews of the app. The top three reviews claimed that it is a magical voice recorder  and the developer responded about how they are so happy the product causes so many happy positive emotions. 

 

It’s only after you launch the app that you see it’s nefarious side. When my client launched it, she was greeted with this:

The Altfast app was able to display this fake virus scam on an iPhone.

This was a very sophisticated scam. The people behind it were able to make an iOS app that was innocuous enough to pass Apple’s App Store review policies. Perhaps it even looks like a real app when you launch it normally. But all my client saw was the fake message about the viruses. Thankfully, their instincts kicked in and they didn’t believe what they were seeing. Had they clicked on the Remove viruses button, I believe one of a couple things would have happened. Either the app would have initiated a phone call to a fake virus scam call center, or it might have tried to download a profile to the phone.

The iOS operating system is super restrictive, so it actually does a very good job of limiting the damage that could have been achieved by the scammers. The most effective techniques for the scammers would be to trick the user into calling a call center where a phone operator could try to take their banking details, or else using a profile to program the phone to subscribe to a calendar with fake virus alerts or route their search traffic through a VPN. Installing a profile is something that requires the user to click an Install button on the screen.

So how did these people get past the App Store review? They probably hid the fake virus screen through some kind of obfuscation (perhaps the screen is just an image downloaded from a malicious website). And then I think the scammers set up accounts to write fake glowing reviews that could be promoted to the top of the reviews by other fake accounts. This is a major problem that Apple really needs to address.

If you take the time to read through all the reviews, you see they are dominated by reviews like this:

You really have to scroll down to see past the top rated reviews in order to see the anger and despair that most people feel about this app.

It’s a shame that the App Store is so full of this kind of deception. In some of the reviews, the authors of the program that they are innocent victims of hacking attempts. (There actually is a serious problem in the computer industry that some of the most widely used programming tools for both websites and app development can easily pull in Open Source packages that add functionality to an app. There have been cases of bad guys placing malicious code that tries to mine for cryptocurrency into widely used packages that then got automatically placed into millions of websites. Thankfully, it was all caught quickly. But I don’t know enough to write about that side of things.)

But I don’t actually believe the developers because I can see that the Privacy Policy and Terms of Use policies they list on their own App Store page are obfuscated behind Russian URL shortener websites. A legitimate developer would have their Privacy Policy easily discoverable on their website in order to comply with the European Union’s strict GPDR (General Data Protection Regulation) laws.

I tried opening the privacy policy and terms of use links (in a Linux virtual machine, not on my real Mac). I fully expected to see a scam website informing me that I was infected, but instead it was actually a Google Docs link that took me to real privacy policy and terms of use documents. The privacy policy did claim that the company reserves “a right to commit all kinds of actions, which lead to the text modification (update).” This includes changing the paragraphs, modifying or even replacing the document at any time without having to warn users.

The silver lining of this story is that there was ultimately no damage done to this client because they decided to trust their instincts and stop when something seemed alarming. All we had to do was delete the app and then check to make sure they had no suspicious subscriptions or profiles.

One of my customers recently contacted me about a nasty letter they got saying that someone had gone in an signed them up for a Netflix account. The possibility that they might have been hacked both startled them and also made them anxious enough to click on the link right in the email.

They were taken to a page that looked very much like the current Apple website, but something in their intuition made them stop and check out the site. 

As they checked out the site, they realized that none of the dropdown menus on the website worked, unlike the real Apple website. The website looked just a little fuzzy, and indeed, it was a picture of the real Apple website. 

Something in their gut told them not to trust what was happening, and so they stopped and called me.

They were kind enough to share with me what they received in their email, which consisted of some text as well as a PDF attachment. I haven‘t checked, but I would bet the PDF probably has a virus in it that could zap Windows machines or out-of-date copies of Adobe Acrobat. That is just one more reason to use Apple’s Preview program, which I will cover in a future blog post. Let’s take a closer look at the telltale signs that showed this was a scam email:

An analysis of a spam email

The weapon that spammers use against us is alarm. They try to use intimidation techniques to both inspire fear and sometimes shame so that you stop and react without thinking. The very best defense you have any time you see something alarming is to stop and take a deep breath, and then take a gut check.

Stop and re-read the email. Let’s look at some salient points:

  • The email starts with Dear Customer, which is terribly common with spam email because the scammer is blindly sending out emails and they don’t have any of your personal details to go on at the beginning. A big company like Apple will have a personal relationship with you and will always use the contact info you gave them when you set up your account.
  • Apple is a company that prides itself on attention to details. They would not let incorrect grammar or punctuation go out in customer facing email. Notice that the first paragraph is missing a period at the end of the last sentence.
  • The last paragraph has a comma which is then followed by a capitalized word. That’s a sign that this email was not written by someone who speaks English as their native language. That does not totally implicate the sender as a scammer, but it is a feature common to scammers.
  • No AppleID is listed. Apple would always tell you about the AppleID involved with a problem as some customers have more than one AppleID.
  • You can’t tell from this picture, but the original email was actually sent as PNG image instead of as text. The print looked fuzzier than regular text so that immediately caught my eye as a warning sign. I think that the scammers sent the spam as an image so that the text would not trigger and junk mail filters.

Now let’s look at the PDF attachment that came with the email.

This email also displays a woeful lack of grammar, still starts with Dear Customer, and finally, it doesn’t contain any valid credit card information like the last 4-digits of the credit card number.

A wonderful feature in the macOS Mail program for email is that you can place your mouse over a link in an email and see where it will take you without actually clicking on the link. The first thing I do whenever I see an email that I have questions about is to check the links to see if they go to a legitimate website or not. In this case, it surely does not.