Malware

After backlash, Apple removes fake Threads app, unethical loan apps from App Store

Posted on by

After facing public backlash, Apple recently removed some unethical apps from the App Store. Here’s what you need to know to avoid getting scammed.

White Kash and other “predatory” lending apps

On Sunday, July 2, an Indian journalist tweeted that someone had contacted her about an experience someone had with an App Store app in India. Apparently, someone who had download an app called “White Kash-Personal Loan App” had granted the app access to her contacts—a seemingly strange request for such an app to make. Allegedly, the app’s developer then began threatening to send fake “nude pics” of the user to her contact list.

According to the report, existing App Store reviews allegedly indicated that this woman wasn’t the only person whom the app’s developer had threatened.

A TechCrunch writer contacted Apple for comment the following day. Two days later—three days after the Indian journalist’s tweet—Apple had removed at least six apps from the App Store for “falsely representing an association with a financial institution” on July 5. Other removed apps’ names included Golden Kash, OK Rupee, and Pocket Kash.

“Threads for Insta” deceptive social app lookalike

The following Sunday, July 9, an iOS developer tweeted about an app called “Threads for Insta,” with the comment, “How do apps like this get past the review process?” I noted that the name and logo were deceptively similar to Threads, an Instagram app—a new social media platform.

The App Store listing showed that “Threads for Insta” offered in-app purchases, as high as $79.99 per year. At least one individual left a review claiming to have been deceived into thinking the app was the official Threads social networking app.

It took even longer for Apple to remove this app from the App Store. After much media attention—and concerns over the fact that it was available in the EU, where Threads is currently unavailable—Apple finally removed the app four days after the initial tweet.

Unfortunately, the App Store has continuous problems

While it’s good that Apple eventually removed these apps from the App Store, the fact that they somehow passed a manual human review is concerning. And then, after being called out publicly, Apple still took several days before taking action, in both cases.

Sketchy apps abound

These are far from the first examples of potentially harmful apps have appeared in the iOS App Store. Sketchy apps abound, particularly ones that claim to offer security or privacy benefits, and they often have outrageously high in-app purchase subscriptions.

As just one example, “Guard Browser” by a company nobody has ever heard of, “Venera OOO,” somehow justifies a $3.49/week ($181.48/year) subscription for an app that doesn’t appear to offer more functionality than any basic browser—and as of late 2021, the same app was charging $11.49/week ($597.48/year). In spite of sketchy claims, poor reviews, and ridiculous subscription pricing—for a Web browser, which can observe tons of users’ private data—Apple somehow approved this app and has never seemed to have a problem with it.

In the past, malware has even entered the App Store

There have even been literally malware-infected apps in the iOS App Store in the past, too. Back in 2015, 128 million users downloaded more than 2,500 XcodeGhost-infected apps (about two-thirds of the victims were in China)—but Apple chose not to directly communicate these facts to its customers. In 2012, Windows malware even managed to sneak into the iOS App Store—just a month after a clearly fake Microsoft Word app was being sold in the store.

The Mac App Store isn’t much different. In 2018, we saw a Mac-slowing, overheating, cryptocurrency mining “feature” get added to a calendar app, followed by the discovery of 14 apps that exfiltrated users’ browsing history.

So while we’d like to say that the App Store is a safe haven, that’s not necessarily true 100% of the time. You still have to be careful with the App Store, too.

How to avoid getting scammed by App Store apps

On the other hand, the App Store is probably still safer than downloading apps from update aggregator sites, or other third-parties besides the original developer’s own site.

Here are a few tips that can help you identify App Store apps that you might want to avoid.

  1. Be cautious about the first search result in the App Store. Apple frequently puts paid advertisements at the top of search results in the App Store app. While the background is a slightly different shade and there’s tiny text that says “Ad,” it’s easy to not notice—and you might end up downloading a sketchy app rather than the one you thought you were getting.
  2. Stick to trusted companies whenever possible. Try to avoid downloading apps from companies you’ve never heard of.
  3. Don’t immediately trust an app’s name or icon. As we saw with the Threads lookalike, sketchy apps can have very similar names and icons to the apps you’re probably looking for. Check the listing carefully to be sure it’s really from the developer you think.
  4. Look at the list of in-app purchases. If you see a lot of ridiculously high subscriptions, you might be dealing with an unscrupulous developer. That’s why it’s a good idea to check this, even if you have in-app purchases disabled.
  5. Read the App Privacy summary. Apple informally calls this the “nutrition label.” It’s developer-reported information, so it’s possible for a developer to lie and misrepresent their app. But if you do happen to see nearly every category checked, you might want to think twice, and see if you can find a more privacy-focused alternative. Developers are also required to link to their full privacy policy; this is supposed to lead to a page on the developer’s site for further information.

With those tips in mind, it will be easier to avoid sketchy apps in the App Store.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →