Apple is still slow to purge scam apps in the Mac App Store

AppleInsider

An examination of a scam app for macOS made by a bogus developer impersonating legitimate accounts reveals how the Mac App Store review system can be manipulated.

Spyware and malware is a continuing problem in computing, and Apple tries to keep things safe by maintaining security of the App Store and the Mac App Store. Naturally, bad actors then try to abuse those systems and to get around Apple's security features.

In a breakdown of techniques used by scammers, a post by Privacy1St on Medium explains what happened for one application that exploited a number of areas of the Apple ecosystem to progress.

The breakdown concerns an app called GPT4 - AI Chat Robot Assistant by SkyLink Tech.

The developer in question violated trademarks, manipulated the Mac App Store's system for reviews, and also created a fake developer account that duplicated a legitimate account's Data Universal Numbering System (D-U-N-S), a unique identifier for a business.

Getting fake accounts

The normal process for getting a developer account relies on the developer having an existing D-U-N-S number or to register for a new one via a recognized authority. This number is supplied along with contact information to Apple, which Apple then uses to confirm the registration's legitimacy.

However, Apple only really asks is whether the representative is legitimate and their name. This is raised in the report as being "streamlined," and less rigorous than other organizations.

Scammers use websites to sign up and get a company's D-U-N-S number without permission. When submitting the form, they include their own contact details, and then merely pretend to be the representative or owner of the impersonated company.

Beyond registration

Once signed up, the app being observed then uses techniques to earn trust from users, in underhanded ways.

For a start, the app claims to be related to OpenAI, the company behind ChatGPT, and uses names of products and similar-looking logos to present the app as being official. Or, at least to confuse users enough to believe they may be the real deal.

The apps then provide screenshots that outright lie, including claims it was building not only on OpenAI but also on GoogleAI. Google has yet to allow anyone to have ChatGPT-level access to its own AI systems.

Within the app itself, the app offers rewards and gifts to users for writing good reviews on the Mac App Store, since good reviews help encourage others to download apps. The problem here is that the rewards for good reviews are against Apple's App Store rules, under terms for Discovery Fraud.

The app also misleads about a paywall, telling users they will get free usage but that they won't actually get what was promised. In the app's case, it would unlock "OpenAI Training" and more features.

As well as more obvious issues, it was found the app was secretly collecting the Mac UUID without asking for permission. In this instance, the Mac UUID is used to keep track of calls to the OpenAI API.

Nothing's been done

Despite discovering the app and reporting it to Apple on September 13, the app is still available on the Mac App Store, and no action has been taken, the report claims.

In summary, the report claims that the various issues with the app "shows that even if Apple products are well built, there are plenty of things that needs to be covered. What's more concerning is that it seems like Apple isn't doing much when people report these scams."

"Apple should provide clear and fast tracks for people to simply report this kind of scams."

This is not the first time that Apple has been called out over the Mac App Store's relaxed security. In April, a similar report discussing scam apps was published, covering many of the same areas of the new one.

Read on AppleInsider

mayfly

This isn't a threat to diligent Apple users. If I want an app that isn't made by Apple, I navigate to the company website (UPS or American Airlines, for instance) and click the link to their app from there. Just assuming that if a third party app is on the App Store, it's safe for you to download, well, you're asking for it.

22july2013

mayfly said:

This isn't a threat to diligent Apple users. If I want an app that isn't made by Apple, I navigate to the company website (UPS or American Airlines, for instance) and click the link to their app from there. Just assuming that if a third party app is on the App Store, it's safe for you to download, well, you're asking for it.

That's an interesting approach. I like it. However it may have one challenge: Apple App store links are (or can be) different for each country you are in. So if I go to the UPS website (ie, the American UPS website, because I use Google to get the company's link, and it often returns the US link even if the company has a Canadian website) and then try to get a link to their app from their US site, I may be directed to the US app which may not be a valid link in Canada. You appear to be an American and you probably only care about American companies, so this may not be an issue for you. 

bonobob

22july2013 said:

mayfly said:

This isn't a threat to diligent Apple users. If I want an app that isn't made by Apple, I navigate to the company website (UPS or American Airlines, for instance) and click the link to their app from there. Just assuming that if a third party app is on the App Store, it's safe for you to download, well, you're asking for it.

That's an interesting approach. I like it. However it may have one challenge: Apple App store links are (or can be) different for each country you are in. So if I go to the UPS website (ie, the American UPS website, because I use Google to get the company's link, and it often returns the US link even if the company has a Canadian website) and then try to get a link to their app from their US site, I may be directed to the US app which may not be a valid link in Canada. You appear to be an American and you probably only care about American companies, so this may not be an issue for you. 

Just change the URL from apps.apple.com/us/... to apps.apple.com/ca/... (or whichever country code is appropriate for your store).  This has worked for me numerous times when I've been given a link to a non-US, non-English language App Store.

mayfly

bonobob said:

22july2013 said:

mayfly said:

This isn't a threat to diligent Apple users. If I want an app that isn't made by Apple, I navigate to the company website (UPS or American Airlines, for instance) and click the link to their app from there. Just assuming that if a third party app is on the App Store, it's safe for you to download, well, you're asking for it.

That's an interesting approach. I like it. However it may have one challenge: Apple App store links are (or can be) different for each country you are in. So if I go to the UPS website (ie, the American UPS website, because I use Google to get the company's link, and it often returns the US link even if the company has a Canadian website) and then try to get a link to their app from their US site, I may be directed to the US app which may not be a valid link in Canada. You appear to be an American and you probably only care about American companies, so this may not be an issue for you. 

Just change the URL from apps.apple.com/us/... to apps.apple.com/ca/... (or whichever country code is appropriate for your store).  This has worked for me numerous times when I've been given a link to a non-US, non-English language App Store.

I think we can agree that these are all good ways to protect yourself from malware on the app store.

coolfactor

Honestly, the Mac App Store feels neglected, an afterthought. I think many developers try to avoid it on purpose. For me, it's the first place I go to find apps that I want, and I'm disappointed if I don't find them, or they haven't compiled their iOS app to work on Macs.

22july2013

bonobob said:

22july2013 said:

mayfly said:

This isn't a threat to diligent Apple users. If I want an app that isn't made by Apple, I navigate to the company website (UPS or American Airlines, for instance) and click the link to their app from there. Just assuming that if a third party app is on the App Store, it's safe for you to download, well, you're asking for it.

That's an interesting approach. I like it. However it may have one challenge: Apple App store links are (or can be) different for each country you are in. So if I go to the UPS website (ie, the American UPS website, because I use Google to get the company's link, and it often returns the US link even if the company has a Canadian website) and then try to get a link to their app from their US site, I may be directed to the US app which may not be a valid link in Canada. You appear to be an American and you probably only care about American companies, so this may not be an issue for you. 

Just change the URL from apps.apple.com/us/... to apps.apple.com/ca/... (or whichever country code is appropriate for your store).  This has worked for me numerous times when I've been given a link to a non-US, non-English language App Store.

That might work. I'll try it out. But for most consumers of software that's never going to happen. Some of my friends and family have never even heard of a "URL."

FileMakerFeller

Apple has to be diligent about checking reports of scam apps in case they remove a legitimate app and get sued. I'm not surprised that they don't keep the reporter in the loop on this process, but it has to be a nightmare to verify identity properly at any stage of the developer approval process, let alone the app submission.

I'm sure Apple took the easier path (especially since there were so many complaints about the length of time required to get an app approved), but you cannot claim to have a curated store when you provably are allowing scam apps to inhabit the digital shelf space. Apple needs to do better here.