Apple Removes Scam App That Led to Hijacked Facebook Ad Accounts

[MacRumors]

Apple has removed an app that it was unknowingly hosting on the App Store that scammed Facebook advertisers and led hackers to use advertisers' ad budgets to run possibly malicious ads on Facebook's platforms, Business Insider reports.

The app previously ranked highly on the App Store when searching for "Facebook ads manager," the app used by advertisers to control their presence and ads they're running on the Facebook platform. The app presented itself as the legitimate ads manager for Facebook but was actually a backdoor that let hackers gain access to an account. One employee of an ad agency told Insider they were locked out of their account within just 10 minutes of downloading and logging into the app from Apple's App Store.

Apple said that the app was originally submitted to the App Store as a simple document manager with no ties or functionality to the Facebook platform. Apple claimed in a statement to Insider that the app turned malicious after it was approved for the company's platform. Facebook flagged the app to Apple in mid-July, but only after Insider's request for comment to the Cupertino tech giant was the app removed from the platform.

Apple proudly states that the App Store is "a safe and trusted place to discover and download apps," with apps being held to the "highest standards for privacy, security, and content." Apple screens all apps before they're presented for download on the App Store. According to the company, over 250,000 apps were rejected for the App Store last year for violating privacy guidelines, with an even larger 1 million apps rejected for possibly harmful and unsafe content.

Despite Apple's efforts, scam apps have remained a problem for the platform. A study last year found that 2% of the top 1000 top paid apps on the App Store at the time were scam apps, with those apps reportedly earning over $1 million in revenue. In a separate instance, a fake bitcoin app scammed its way to gain over $610,000 after being on Apple's platform.

Article Link: Apple Removes Scam App That Led to Hijacked Facebook Ad Accounts

 

[goaliemn]

You can get Malware and hacked even without side loading. Great job.

 

[Piplodocus]

If I'm gonna load an app from the internet I'm always sure be very careful to work out where it came from and how trustworthy the developer is. If I get it from the App Store I'd presume Apple have done that for me.

So good work again Apple for saying it's far too unsafe to let people load whatever apps you like on your iPhone/iPad, and justifying the app store as the only safe way to allow them, while hosting scams again and seemingly after being flagged, doing nothing about it until the media are going to shame you. 🤦🏻‍♂️

 

[polyphenol]

What happens to apps installed on our devices when an app gets removed like this?

Does it get removed? Do we get told we have a "bad" app installed?

 

[hagar]

We should be mad at the scammers, not Apple. It’s like being mad at the police because people still get murdered.

I rather have a store where 1.25M scam apps are being removed annually than no safeguards at all.

 

[4743913]

"But don't worry, we are extra careful in keeping those evil emulators out of the AppStore" -Apple

 

[contacos]

We should be mad at the scammers, not Apple. It’s like being mad at the police because people still get murdered.

I rather have a store where 1.25M scam apps are being removed annually than no safeguards at all.

I agree but also Apple should not promote the AppStore as this unbreakable save space. Otherwise you get people to install things without thinking about it because you could assume everything that you see at the Store is save to install. Example this one

 

[polyphenol]

We should be mad at the scammers, not Apple. It’s like being mad at the police because people still get murdered.

I rather have a store where 1.25M scam apps are being removed annually than no safeguards at all.

I think 1.25M are rejected - not removed.

Number removed might give a better sense of the level of risk.

 

[beatrixwillius]

Does it get removed? Do we get told we have a "bad" app installed?

AFAIK you can't start the app anymore.

We should be mad at the scammers, not Apple. It’s like being mad at the police because people still get murdered.

I rather have a store where 1.25M scam apps are being removed annually than no safeguards at all.

There is no difference between the AppStore and the rest of the internet except 10 minutes of testing. Do you really want to rely on that?

 

[Dan From Canada]

And this is from Apples famously safed app store?

 

[kc9hzn]

AFAIK you can't start the app anymore.

There is no difference between the AppStore and the rest of the internet except 10 minutes of testing. Do you really want to rely on that?

“10 minutes of testing” isn’t really a bad thing, though. The trustworthiness of most sites can be ascertained through fairly minimal research and testing. It usually doesn’t take that long for someone trained in the task to look for some tell-tale signs and note that “yep, typo squat” or “dodgy call to action to download an executable file” or “fake JavaScript pop up”. And the trustworthiness of most apps likely can be ascertained within “10 minutes of testing” too.

Apps like this are very much like pages that show Googlebot one thing and users something completely different. There’s a more deliberate attempt to elude notice with an app like this. A website that pulled the same trick as this would be resistant to automated analysis and would require a more thorough investigation, possibly by full blown security experts.

Edit: If you want to talk about malware risk on the App Store, you’re probably talking spearphishing or APTs targeting high value targets anyway. That’s the most realistic type of app that’s going to take strong self protection measures, if just because it’s the only scenario where the effort is justified (intelligence that can only be gleaned from it, vs a scam where you just need to cast a wide enough net and you’ll get plenty of [potentially lucrative] victims and if you fail, just try another scam). This app didn’t quite rise to that level, but it was targeted at a certain group of users. (Also, can we talk about how I’m sure there were red flags during the set up process? And if people feel like they need a third party ad manager for Facebook, doesn’t that imply that Facebook’s ad management tools aren’t giving serious advertisers the power they want? One could joke that Facebook is screwing over users, advertisers, AND themselves, which is oh so rare, the trifecta!)

 

[mikethemartian]

We should be mad at the scammers, not Apple. It’s like being mad at the police because people still get murdered.

I rather have a store where 1.25M scam apps are being removed annually than no safeguards at all.

Maybe Apple should spend less time at the doughnut shop and do their job that they charge such a large cut for.

 

[unregbaron]

One of Apple's blindspots. The need to take this more seriously.

 

[Spaceboi Scaphandre]

You can get Malware and hacked even without side loading. Great job.

THIS IS WHAT I KEEP TELLING PEOPLE!

Everything Apple says about sideloading is a lie to keep total control, stamping out competition, and maximize profits so there's absolutely zero reason to not have an optional sideloading toggle for those who want it.

Edit: And to those who keep disliking this post, see for yourself: Scam apps have figured out how to trick the App Store review team and it's getting worse. You are not immune to bad actors with the absence of sideloading like you think you are https://9to5mac.com/2022/08/04/fraudulent-chinese-apps-mac-app-store/

 

[1557750]

I’m sorry, but anytime I see Facebook, scam and ads in the same article, I can’t help but laugh.

“Facebook, a parent company of Meta, flagged the app”. Facebook flagging suspicious behavior is ironic in itself. One of, if not the least trustable companies on the planet is upset because someone is getting over on them.

Apple definitely needs to do a better job at cleaning up and monitoring their AppStore. It’s a god awful mess. I only use it to update the 10 apps I have, so it doesn’t effect me and I’m hardly on it. But it’s a cesspool of scammers that get screened before added to the AppStore, then appears to be able to update it with any changes while going unnoticed.

Apple can do better.

 

[ponzicoinbro]

You can get Malware and hacked even without side loading. Great job.

You just get 100X more with side loading and nobody gets alerted until it is wayyy too late.

I have an idiot freelance photographer/videographer friend who didn’t pay for his Adobe apps. Kept using CS6 cracked versions for years. When he complained his accounts were getting jacked I looked at his computer, did a scan, whole thing infested with keystroke recorder sending his typing to an IP address.

 

[ginkobiloba]

There is no difference between the AppStore and the rest of the internet except 10 minutes of testing. Do you really want to rely on that?

The difference however is that the Appstore version will get removed at some point. The « rest of the internet » version will keep scamming people with no end in sight.
The majority of people aren’t techies and don’t read tech websites on a regular basis, and have no way of knowing which apps are scams in the internet jungle.

 

[TheYayAreaLiving 🎗️]

Why do I have a feeling Facebook is behind this?

 

[StuBeck]

You just get 100X more with side loading and nobody gets alerted until it is wayyy too late.

I have an idiot freelance photographer/videographer friend who didn’t pay for his Adobe apps. Kept using CS6 cracked versions for years. When he complained his accounts were getting jacked I looked at his computer, did a scan, whole thing infested with keystroke recorder sending his typing to an IP address.

I don't think people are talking about stealing software like you are. They are talking about installing programs without having their dad say its okay. In this case, Apple is the father.

 

[4743913]

You just get 100X more with side loading

But at least we would have a choice NOT to sideload. We do not have a choice to NOT use the AppStore.

 

[webkit]

We should be mad at the scammers, not Apple. It’s like being mad at the police because people still get murdered.

In this situation, we should be "mad" at both. Apple plays up the safety and security of their App Store and is supposed to "protect and serve" (using your police analogy). If they fail to do so, it is on them. I'm not talking 100% blame here but certainly some of it.

 

[4743913]

The majority of people aren’t techies and don’t read tech websites on a regular basis, and have no way of knowing which apps are scams in the internet jungle.

then how will they know how to sideload?

 

[Spaceboi Scaphandre]

But at least we would have a choice NOT to sideload. We do not have a choice to NOT use the AppStore.

then how will they know how to sideload?

Precisely this. Only 3% of all Android users sideload. So there's no harm in allowing choice for the enthusiants since there's a lot of apps people want but Apple will never allow, like Xbox Game Pass for Cloud.

 

[JosephAW]

Soooo why didn’t Apple remove the fb app?

 

[1557750]

Soooo why didn’t Apple remove the fb app?

Like that’ll ever happen. FB will have to die on its own. It’s on its way, just not quick enough.