Investigation report about the abuse of the Mac Appstore

  1. most of the applications published under this developer accounts that will be described below are using the same pattern of “command-and-control — the term is used in the malware world and is attributed to a malware that can receive commands from a server for doing certain things” technique used by malware, in order to bypass or hide things from the Apple review team and change the application UI in order to gain as much as revenue as possible. The technique was used in past by well-known PUP (Potential Unwanted Program — term used in the antivirus industry) actors.
  2. MacOS Apple Appstore fake reviews fraud to mislead Apple users
  3. an abusive download of data that is not related to the application purpose
  4. abusive and anti-competitive behavior — multiple spams of the same applications in order to gain as much market-share as possible in some niches
  1. Sunnet Technology Inc ( — PDF Reader for Adobe PDF Files — Top #1 US Chart Education — TeamIdentifier=WJMTXR4JNU —
  2. Netozo Limited ( — Word Writer Pro — Top #52 US Chart Business — TeamIdentifier=758H5UDNCP —
  3. Safeharbor Technology L Ltd ( — Screen Recorder — Top #12 US Chart Education — TeamIdentifier=6N53BTGWL7 —
  4. Wildfire Technology Inc ( — Webcam Expert — Top #68 US Chart Photo & Video — TeamIdentifier=QL99V46A4M —
  5. Boulevard Technology Ltd ( — Streaming Browser Video Player — Top #8 US Chart Entertainment — TeamIdentifier=B2MV8Q5A9K —
  6. Polarnet Limited ( — PDF Editor for Adobe Files — Top #11 US Chart Business — TeamIdentifier=33CT73RPKY —
  7. Xu Lu ( — support email is pointing to — PDF Reader — Top #25 US Chart Productivity — TeamIdentifier=9ZXZ48W276 —
  • All the domains are using Cloudflare in order to hide their hosting provider.
  • The MX server used by this all domains is paid service of Zoho
  • The registrar of the domains is Godaddy with privacy enabled feature
  • All the domains have “app” or “vpn” subdomain (will discuss for what is used in the analysis of some of the applications)
  • The Privacy Policy website presented on the Apple Appstore is using Google free websites in all cases:
    Sunnet Technology Inc —
    Netozo Limited —
    Safeharbor Technology L Ltd —
    Wildfire Technology Inc —
    Boulevard Technology Ltd —
    Polarnet Limited—
  • Some applications are using bundle identifiers of another connected company name (e.g the application called PDF Reader for Adobe PDF Files — appid: 1558962121 — is using the bundle identifier — netozo.pdf )
  • Password used to decrypt the JSON used to hide/bypass the Apple review team is the same on all the applications from this accounts: “oKRZzDrJnqXAKw9bCBmPmndwqhfW3qQLG”
  • Most of the applications are using AES encryption using slightly modified names of ftCode, ftDecode, ftEncrypt, ftDecrypt.
  • The GET request that an application is doing to get the encrypted JSON to the is using the same pattern:




Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store