Scam App in Apple’s Top 10 Rakes in $80K Per Month

Scam App in Apple's Top 10 Rakes in $80K Per Month

One of Apple’s top 10 productivity apps—“Mobile protection :Clean & Security VPN”—has been pulled from the Apple store after it was uncovered as a scam—and an obvious one at that, starting with the grammar issues in its name.

At its height, it was raking in $80,000 per month.

Researcher Johnny Lin investigated the app after seeing some things that didn’t add up.

“Given the terrible title of this app (inconsistent capitalization, misplaced colon and grammatically nonsensical ‘Clean & Security VPN?’), I was sure this was a bug in the rankings algorithm,” he said in a post. “I tap into the app details to see that the developer is ‘Ngan Vo Thi Thuy’. Wait so, this is a VPN service offered by an independent developer who didn’t even bother to incorporate a company? That’s a huge red flag. So in this case, a random person who couldn’t piece together a grammatically correct title, who also didn’t bother to incorporate a company, wants access to all your internet traffic.”

And that’s not all: The app description contained multiple typos and was accompanied by “fake-looking 5-star reviews.”

Nonetheless, Mobile protection :Clean & Security VPN has been a top 20 grossing productivity app since at least April 20. Lin quickly discovered why: The app first asks to scan and access contacts, then tells the user their device is at risk. After a few other scammy steps, the app eventually offers a “free trial”—and if the user accepts, it’s there in the fine print: “You will pay $99.99 for a 7-day subscription.” It also says that touching the home button authorizes the start of this $100-per-week subscription.

“It suddenly made a lot of sense how this app generates $80,000 a month,” Lin said. “At $400 per month per subscriber, it only needs to scam 200 people to make $80,000 per month, or $960,000 a year. Of that amount, Apple takes 30%, or $288,000—from just this one app.”

At this point, you might still be in disbelief. Maybe you’re thinking: “Sure, just 200 people, but still, it seems highly unlikely that even one person would download this scammy looking app, much less pay for it.”

Mobile protection :Clean & Security VPN, before it was pulled, was ranked #144 in most-downloaded free productivity apps in the App Store, with an estimated 50,000 downloads in April.

“To get 200 subscribers from 50,000 downloads, they just need to convert 0.4% to purchases—or maybe even fewer, because these subscriptions are automatically renewing, so the subscribers stack month over month,” Lin said.  

Lin also uncovered that there are other apps that function the same way, including one called “Protection for iPhone—Mobile Security VPN”, which also offers a weekly subscription for $99.99. This was ranked #33 for Top Grossing in the Business category.

Lin said that apps like these are using ads that are search-optimized. For instance, a search of the App Store for “wifi” yields a top result that is an ad for “WEP Password Generator”, a simple random string generator that charges $50 per month and is making $10,000 per month.

“Scammers are abusing Apple’s relatively new and immature App Store Search Ads product,” Lin said. “They’re taking advantage of the fact that there’s no filtering or approval process for ads, and that ads look almost indistinguishable from real results, and some ads take up the entire search result’s first page.”

"Fraud takes many shapes in the digital ecosystem,” Chris Olson, CEO of The Media Trust, told us via email. “Whether hijacking a legitimate app to redirect to a another (possibly malicious) app, executing non-human clicks, serving compromised ads or surreptitiously launching other apps, it all boils down to opportunity and financial incentive. Just like other ad-supported companies, app stores need to be vigilant about securing the content they promote. In addition to evaluating the reputation of the app developer, effective security requires continuous review of the app, requested permissions and any other network call." 

Source: Information Security Magazine