Saturday, July 13, 2024

Apple confirms the scale of App Store fraud

Apple says millions of fraudulent attempts are made against the App Store and its users each year as criminals get smarter and exploits more complex.

Apple says millions of fraudulent attempts are made against the App Store and its users each year. The company prevented $1.5 billion in fraudulent transactions in 2021, it said, in line with similar levels of fraud in 2020.

How people attempt to commit App Store fraud

The company explains how fraudsters attempt to commit fraud via the store.

These attempts span the gamut from relatively unsophisticated attempts to make purchases using stolen or fraudulent credit cards to more complex scams consisting of apps that otherwise work fine but quietly gather data or carry malware to trick or defraud users.

Attempts to smuggle malware into apps to perform on-device fraud are intensifying in 2022. It is worth noting that there has been an increase of over 40% in malware  attempts against Android to perform on-device fraud so far this year, which shows that Apple’s concern is justified.

Apple has rejected tens of thousands of apps, including apps with hidden code and misleading, copycat, and privacy abusing apps. Millions of attempts to create fraudulent customer or developer accounts are made each year, the company said, while 3.3 million stolen credit cards have seen attempted use.

Recommended:  Microsoft Defender for Endpoint brings remote deployment to iOS

The scale of review fraud

Review fraud — in which competitors file illegitimate ratings and reviews to suppress sales of competing apps or to encourage users to download untrustworthy apps — also gets a mention.

Apple says over a billion ratings and reviews were made across 2021, and Apple had to detect and block over 94 million reviews and 170 million ratings for “failing to meet moderation standards.” Apple also ditched 610,000 reviews after publication following complaints and subsequent evaluation.

That data suggests the scale of review fraud is relatively high, as it hints that a very large percentage of the billion ratings and reviews made each year are at fault.

App Store developers have complained about this practice for years, and the data Apple has released justifies that concern. Having said that, this also suggests the risks of review fraud would be far, far higher if the App Store were left unmoderated.

Apple wants to protect its App Store business

We know that part of the reason the company is sharing this information is to justify the fees it levies against some developers for selling apps via its store. Apple continues to pull together data to support the way it runs the App Store business, and fraud detection at the level Apple explains does not come cheap. While other app stores may levy lower fees, do they offer the same security or user experience? What happens in the event Apple cannot?

Apple really wants regulators to think again on plans to force sideloading of apps and other poorly thought out proposals that would serve to dilute the security and safety of its platforms. In that context, the company likely seeks data to show the extent to which its products are today used across highly confidential and strategically essential industries.

Recommended:  UK: NCSC publishes new cybersecurity guidance for online retailers

What use are network and endpoint protection systems when the platforms themselves are made inherently insecure? How can any enterprise remain confident in their increasingly digital processes in the event their devices carry government-mandated backdoors?

These important questions need to be rigorously answered before any decisions are made.

That the App Store experiences fraudulent activity at the level it has described should give regulators pause for thought before imposing rash remediation, particularly as criminals become increasingly creative in apps, app services, and the growing potential for ID fraud.

Older devices are at most risk

Fraudsters are also targeting older mobile devices, according to a NICE Actimize study. That study found banking fraud attempts increased by 41% in 2021, with devices running operating systems made prior to 2016 three times more likely to be victims of fraud.

Approximately 4% of 2.5 billion currently active Android devices run at-risk iterations of that OS, in comparison with just 2% of iPhone users who run an OS over two years old. (The number of iPhones running 2016 versions of iOS is incalculably small).

However, any move to dilute the security iOS enjoys could make many more of us vulnerable, and the introduction of a non-curated app store would do just that.

More news at WWDC?

Apple’s decision to publish information concerning its work to battle App Store fraud just days before it hosts its annual developer event sends a message that the company will continue working toward its goals around privacy and security across its mobile ecosystem. Most recently the company announced that it will evict older apps that have not been updated for three or more years from the App Store.

Recommended:  Apple patches three actively exploited zero‑day flaws in iOS

Given the scale to which App Store fraud is taking place, this seems a sensible move to help protect users against inadvertent use of apps that may still contain exploits or vulnerable code.


Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates