Cyber security may be a foreign concept for Apple and iPhone users. Windows and Android users have been coping with cyber threats for a long time, and have been constantly reminded by Apple-wielding friends, family, colleagues, and even strangers that Apple products are “safe” (or at least “safer”) from cyber-crime.
In particular, there has been little reason for Apple users to question the safety of iPhone apps on the App Store, as Apple itself has verified these apps. But while Apple has maintained (for the most part) its closed network, hackers have figured out ways to penetrate Apple’s defenses—and attack a complacent group of users ripe for the picking.
App Store Scams On the Rise
A security blogger named Johnny Lin recently published this very interesting post that exposes an ingenious scheme involving iOS app subscriptions. It works by misusing Apple’s recently introduced App Store Search Ads offering.
There’s no filtering or approval process for these ads, and the ads themselves can closely resemble ordinary search results. What’s been happening is scammers are simply paying to feature their malicious apps, which masquerade as legitimate antivirus tools, password generators and other “productivity” apps, at or near the top of the App Store search results. Once installed, the bogus app tries to lure victims into accepting a “free trial” that quickly entails exorbitant, auto-renewing subscription charges—as much as $100 per week.
This scheme is now so prevalent and widespread that a number of these scam apps are among the top-grossing apps across the entire App Store. For example, the #10 top-grossing productivity app at the time the post was written was a scam app called “Mobile protection :Clean & Security VPN” that was raking in a cool $80,000 per month for its developer.
Many people will notice that these paid ads aren’t “real” search results, but some won’t. Many of those who install a fake app will spot the ruse, but some won’t. And it only takes a few conversions (less than 0.5% of downloads for a high-ranking app) to rack up big bucks. Apple encourages users to report malicious and suspicious apps through iTunes Connect.
Gone are the days when Apple users could be cavalier about cyber security. An unsecured Apple device is now a major security threat. Mac users are not immune to ransomware in particular, including WannaCry-type attacks. Indeed, as Apple products gain market share, experts predict cyber-attacks on Apple devices will only escalate. Others foresee the uncovering of significant flaws in Apple’s security architecture.
Protect Your Apple Device Users – And Your Business
If your organization uses Apple products or allows them to access your network under its Bring Your Own Device (BYOD) policy, you should ensure these devices do not pose unforeseen risk. Likewise, Apple users need exposure to cyber security awareness education… before it’s too late.
To find out how you can reduce the growing cyber security risk associated with Apple products in your organization, contact Pivot Point Security.
This whitepaper explores such vulnerabilities and explains in detail how to avoid them.