The Register® — Biting the hand that feeds IT

Feeds

Two scam apps stink up iTunes store, pulled thanks to Reg reader

Eye of the Vulture backs up porous Cupertino iron curtain

By Anna Leach, 14th November 2012
  • print
  • alert

Customer Success Testimonial: Recovery is Everything

Apple allowed two scam apps to appear in its App Store - and the dodgy software remained on sale for five days until a Reg reader raised the alarm.

The two paid-for programs, built by developer JB Solutions, do not work as advertised in the online shop, sparking a surge in negative feedback comments left by ripped-off fanbois. Both apps were approved by Apple's censors and went live in the software store on 8 November. They were eventually pulled last night after we contacted the fruity firm.

The first app, IntelliScreenX for iPad and iPhone, cost $1.99 (£0.99) and promised a pull-down list of notifications from the device's lock screen. Such a feature is not possible on iOS, although it can be done on jail-broken iPhones.

Users reported that, once downloaded, IntelliScreenX simply showed an alarm clock. The app looked nothing like the screen grabs displayed in the iTunes store front.

The second dodgy program, NFC for iPhone 5, cost $0.99 (£0.69) and promised to enable Near-Field Communications support - useful for making wireless payments - in the smartmobe. Again, that's impossible because the iPhone does not have an NFC chip fitted. As soon as the software is downloaded it changes its name to RadioStreamer and plays music from online stations.

Screen grab of scam app NFC for iPhone 5 from Apple's iTunes

Screen grab of the scam app NFC for iPhone 5 advertised in Apple's iTunes

It's not clear whether the phony apps pose a security risk, but it is clear users ended up paying out for software completely unlike what was expected.

User feedback left on iTunes

Unhappy customers

Oddly enough, there were 20 to 30 positive recommendations and five-star reviews for the apps, no doubt snagging a number of customers, although a lot of negative comments have since appeared.

The Reg asked Apple how something so wrongly advertised could be stocked on the App Store's shelves given the Cupertino giant screens every product submitted by developers. A spokesman would not provide any detail, but told us: "Thanks for bringing this to our attention." ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (34)
Highly Rated
Senior Ugli

How the hell did the NFC app get through the App checking people? the phone doesnt even support it, so surely something with NFC in the title would be heavily reviewed.

I thought apple were crunching down on the amount of shit soundboards, barely functional and fake apps from people tryna get into the appstore

10
0
Anonymous Coward
Anonymous Coward

Oh dear...

The fanboy high horse is starting to resemble a dwarf three legged donkey.

11
3
DrXym
Reply Icon

Re: @DrXym - Oh Jeebus Apple

Because it's impossible.

Calling an API doesn't show malicious intent. My hypothetical quote of the day app has a legitimate reason to hit some url to fetch the quote. Maybe it also fetches a graphic too and a bit of meta data. All very innocent. I could easily craft some code which throws an exception only with the malicious content, e.g. maybe a title which is 256 characters causes an exception to throw and somewhere up the chain it redirects the user to a "report error" page url. When Apple test it, even if they sport the report error url, it all looks legit. Perhaps my app also has some legitimate reason to look in my contacts, e.g. offering me the feature to email a quote of the day to a friend, but when operating maliciously it actually steals my address book by accidentally not null terminating a character array which just happens later to be used in the report error screen. It's so easy.

Short of someone doing a line by line security audit, feeding the app with every possible input Apple will NEVER find this.

This is why curation is false security. I'm sure Apple do have scanners which look for signatures of known trojans, command and control urls, and might even give the app a cursory once over in some virtual machines with different date and time parameters and so on. But it's not hard for someone to circumvent this. Look how many phony apps already get through. Look how many apps turn out to be stealing data already. Apple didn't catch these. There's no reason to think they'd catch my hypothetical app either.

8
1

More from The Register

SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
116
Bjarne Again: Hallelujah for C++
Plus: Now officially OK to admit you never used STL algorithms
95
Interwebs taunt Sir Jony over Apple eye candy makeover
Hey Ive, Ive... add more unicorns, willya?
79
Apple: iOS7 dayglo Barbie makeover is UNFINISHED - report
Plus: You don't like the icons? Blame marketing
104
Red Hat to ditch MySQL for MariaDB in RHEL 7
So long, Oracle! Don't let the door hit you on the way out
65
Shy? Socially inadequate? Fiddling with your phone could help
App 'tells the brutal truth' about social inadequates' chatup lines
22
Java EE 7 melds HTML5 with enterprise apps
New release arrives with GlassFish, NetBeans support
12
breaking news
'Office Facebook' firm Tibbr wants you to PAY for mobe-meetings app
Great idea. Punters won't cough for it though
9
breaking news
The only Waze is Google: Ad giant tipped to gobble map app 'for $1.3bn'
Pac-Man-satnav-ish upstart in bidding war with Apple, Facebook
16
breaking news
PM Cameron calls for modern, programmable computers! (We think)
IT education musings to G8 chiefs to mystify IT industry
105