A quite stunning story came to light over the weekend of a scam app charging people a staggering $400 per month through an in-app purchase disguised as a free trial – for an app that does nothing in the first place.

Taking advantage of App Store search ads to achieve visibility, the app claims to be a virus and malware scanner, and for anyone naive enough to install it presents a dialog box offering a ‘free trial’ that actually charges them $99.99 for a 7-day subscription …

NordVPN

Buried on the third line in a paragraph of text in small font, iOS casually tells me that laying my finger on the home button means I agree to start a $100 subscription.

The app in question, according to Sensor Tower data, brings in around $80,000 per month in revenue, despite the fact that it offers users essentially no services and makes that money by scamming them into subscription service.

It seems to me astonishing that such an app was ever approved by Apple in the first place, and even more incredible that the company allows in-app purchases of $100 per week without carefully vetting the subscription text to make sure it’s abundantly clear to users what it is they are authorizing.

Apple has a dual responsibility here. First, the whole point of the App Store having a review purpose is so that nefarious apps can’t get approved. Part of what Apple is selling when someone buys an iPhone is that vetting process: the peace of mind of knowing that it’s not the wild west out there, and that the only apps available in the store are the ones Apple has checked and approved for purchase.

Second, Apple is taking a 30% cut of this fraudulent enterprise. And then taking another cut for selling it the ad service that allowed it sufficient visibility to earn almost a million dollars a year. Not knowingly, not deliberately, but taking it all the same.

Now sure, I’m absolutely confident that anyone taken in by this app will be able to report it to Apple and get a full refund. I’m equally certain that the app in question will be rapidly removed from the store, along with the developer’s account. But that’s addressing the problem after it’s occurred. And not soon after, but apparently two months after,

I get that app reviewers are fallible human beings. I get that they can’t be expected to catch everything, especially if a developer goes to significant lengths to disguise the true nature of an app, such as waiting for a certain length of time after installation before offering sketchy in-app purchases.

But there are two reasons why this is no excuse. First this was an app claiming to be a virus scanner for an iPhone. A scanner where, even if it were necessary, could not possibly do the job it claimed thanks to app sandboxing. How does such an app make it through even the most cursory of approval processes?

Second, this was an app generating $400 a month from each user who fell for it. Surely apps generating that kind of spend per user deserve a little extra scrutiny?

The (relative) safety and security of the Apple ecosystem is a key selling-point. Failing to guard that ecosystem against something as crazy as this puts that USP – and Apple’s reputation – at serious risk.


Check out 9to5Mac on YouTube for more news!