Mobile & Gadgets

Watch out! Scammers are making a fortune in the iOS App Store

Just how much money can a scammy iPhone app make in the iOS App Store?

You may be surprised. After all, how does $80,000 per month sound to you?

The “Mobile protection :Clean & Security VPN” app is estimated to be have earnt its developer $80,000 per month, after tricking users into signing up for an eye-watering $99.99 per week subscription through a careless thumb press.

The app, promoted through Apple’s new app store search ads, was spotted by developer Johnny Lin who documented his concerns in a blog post.

When first run, the app asks for permission to scan your list of contacts (what possible reason could it want to do that?) before informing you that your iOS device is at risk.

Quite why it believes that your iOS device is in peril is a mystery, as the app hasn’t done anything yet. Even more bizarrely, reports Lin, clicking on the “Secure Internet” button pops up a prompt to play a bubble-shooting game!

Perhaps wisely Lin declined that offer, but his curiousity was piqued by the subsequent screen that appeared – offering a “free trial” to “instantly use full of smart anti-virus”:

How free?

Well, you should read the small print before you offer your fingerprint to Touch ID…

“You will pay $99.99 for a 7-day subscription”

Yes, the “free trial to Full Virus, Malware scanner” is really a shocking 7-day auto-renewing subscription costing $99.99.

In short, you could be paying $99.99 per week in order to have all of your internet traffic routed through a complete stranger’s dodgy VPN.

And don’t think that no-one would ever be so dumb as to fall for a scam like this. It’s all too easy to offer your fingerprint without reading the small print. In this case, the deal has been promoted as a free trial and you may not notice – until it’s too late – that you could be spending $400 a month for the privilege.

Sadly it seems that enough people have been falling for the scam to earn the app’s developer a staggering amount of money.

Indeed, Lin reports that “Mobile protection :Clean & Security VPN” managed to make it to the US App Store’s list of top ten grossing productivity apps.

Since Lin’s blog post the apps appear to have been removed from the App Store – but one wonders how many other apps have managed to slip through Apple’s vetting process, and have been promoted through the store’s new ads.

iOS isn’t perfect, but generally I prefer it to the Android operating system.

One of my main issues with Android is that so many owners of Android smartphones have been left in the lurch, unable to update their devices with the latest version of the operating system to protect against the latest security vulnerabilities. Generally, Apple’s customers seem to be much better served in terms of timely fixes and updates.

You shouldn’t just measure how well a platform protects you from privacy and security risks, however, by the operating system alone. Probably an even bigger issue are the third-party apps that you run on the device; Have they been coded competently? Are they taking proper care of your sensitive personal information? Are they being updated promptly when security risks are uncovered?

And, although Apple is well-known for its policy of strictly vetting apps, it’s clear that neither the iOS App Store or the official Google Play Android App store have a blemish-free record in this regard.

In this particular case, Apple needs to do a much better job of removing scams apps and refunding affected users. It should police ads and review apps containing in-app purchases much more closely to avoid scammy behaviour.

And, of course, it should be made easier for customers to cancel App Store subscriptions.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.