Researcher Privacy 1st (Alex Kleber) analyzed seven different Apple developer accounts, all managed by the same Chinese dev. They note that the apps abuse the Mac App Store in several ways, the most common being that they contain hidden malware able to receive commands from a server (command-and-control). This allows the apps to pass the App Store’s initial security checks before the malware is activated. In some apps, Apple’s review team saw a completely different user interface than what appears in the final version, as the developers could alter the UI remotely.
The lack of a close or back button is always concerning The apps communicate with popular services such as Cloudflare and GoDaddy to hide their hosting provider. It was also discovered that their privacy policies utilize free Google websites. Moreover, they all use the same password to decrypt a JSON file used to fool the Apple review team, thereby confirming that they come from the same developer. The apps also embrace the tried-and-tested technique of fake reviews; developers can buy these to make their products seem more authentic and appealing. It’s noted that most of these 5-star ratings appear written by non-native English speakers, and the same styles often occur across multiple reviews, such as writing “APP” in all caps. The single-star reviews are the only ones that do appear genuine.
Seems legit The developer also created multiple copies of the same application to gain market share. Some of these malicious apps have proved very popular. A ‘PDF Reader for Adobe PDF Files’ app was one of the most downloaded/sold applications in the US Mac Appstore, despite it tricking users into taking out unwanted subscriptions. Apple has now erased many of the fake reviews for these apps, and some of the applications appear to have been removed from the Mac App Store entirely. Last week brought news that researchers had discovered over two dozen malicious yet popular Android apps on the Google Play Store.