Unmasking the Intricate Web of Deceit: How a Scam MacOS App Exploits Apple’s Fortifications
--
For any questions you can contact me via DM on X: https://twitter.com/privacyis1st
In the constantly changing world of online trickery, a new actor has appeared, revealing weaknesses in the Apple Mac App Store, which was thought to be very secure.
In this report, I investigate a Mac application that has exploited various aspects of the Apple ecosystem. It includes trademark violations that deceive unsuspecting Apple users and manipulates the Mac App Store’s Rate/Review system. The developer of this application goes even further by trying to duplicate a legitimate company’s D-U-N-S (Data Universal Numbering System) to create a developer account within Apple’s ecosystem.
This situation shows that even though Apple tries hard to keep their App Store safe, there are still scammers who find ways to trick the system. It reminds us that Apple’s protective wall isn’t completely foolproof, and they need to keep working on making it even safer.
Unmasking the Achilles’ Heel: The Deceptive Practice of Cloning Company D-U-N-S Numbers in Apple Developer Account Creation
I started looking into fake company developer accounts (created with cloned D-U-N-S Numbers) because I noticed that more and more were popping up, especially for well-known companies. What caught my attention was that these accounts were using unofficial websites instead of the real ones from the actual companies or even free email addresses as “support” emails . This shady method of copying companies for illegal activities isn’t just about making fake developer accounts; it’s similar to what we’ve seen before with fake loan apps. Someone named Babu on X (ex. Twitter) — (@pooniawalla) noticed this too.— https://blpoonia.github.io/fake-loan-apps-google-play-store-ios-app-store/ios-loan-apps.html.
The process of registering an Apple developer account for a company has been described to me by employees from three major companies, providing a comprehensive and corroborated perspective on the intricacies of the procedure.
To obtain a legitimate Apple Developer account, a company must adhere to a series of essential steps. Firstly, the company must either have an existing D-U-N-S number or register for one through a recognized agency. The D-U-N-S number serves as a crucial identifier in the process. Next, the company must navigate to the Apple Developer website and complete the registration form. This form will require the input of the D-U-N-S number and contact information for a representative of the company.
Upon submission of this information, Apple’s verification process takes an minimalistic approach. Instead of extensive documentation, Apple typically assigns a representative to conduct a phone call (so called verification call) with the provided contact person. The purpose of this call is to “confirm” the legitimacy of the company and verify that the individual on the line indeed represents the company in question. The only questions that the Apple representative will ask are:
- Are you the legitimate person of the company?
- What is you name?
This streamlined verification process stands in stark contrast to more rigorous identity checks employed by other organizations.
Finally, once the legitimacy of the company is confirmed, the last step involves payment for the developer account. Once this fee is settled, the company gains access to the Apple Developer Program, unlocking a world of opportunities to create and distribute applications within the Apple ecosystem.
How scammers are doing it:
Scammers that are trying to copy companies and make fake developer accounts has a tricky plan they follow. First, they use websites like https://www.dnb.com/de-de/upik-en/ to get company D-U-N-S numbers without permission. These numbers are essential for signing up. These companies are well picked up after a little of recon and they must be small or medium companies, usually inactive, or without a brand, or online website, same as I saw in the case of the clone company called Skylink Technology.
After they steal the information, the scammers then use it to set up the developer account, making it look like it belongs to the real company. But here’s where it gets really bold: during Apple’s confirmation process, when an Apple representative usually calls to check things, the scammers pretend to be an employee or owner of the impersonated company. They act like the real deal to try and fool Apple’s security.
Skylink Technology Mac App Store Scam (https://apps.apple.com/de/app/gpt4-ai-chat-robot-assistant/id6449526044)
This scam application has managed to secure a top-ranked position in the Mac App Store’s list of best-selling applications, raking in thousands of dollars through its deceptive practices, ultimately exploiting unsuspecting Apple Mac users.
The scammer is not using an official web domain email address (as most genuine developers or companies are using); instead, they are using a free Hotmail account email, while the developer account belongs to a company called Skylink Technology Co. Ltd.(https://docs.google.com/document/d/1e7QSBYVrvq1LVBwzwJeTJleACyQd_pu2_bj7Zhf-eZ4/).
- Trademark infringement impersonating OpenAI official design
The tricky scam app is impersonating well-known companies brand designs and terms of OpenAI. It’s using their names and similar-like icons to fool people. This dishonest behavior not only confuses regular users but also makes good companies look bad.
2. Fraudulent False Claims Designed to Mislead Apple Mac App Store Users
The scam app is trying to fool Apple users by providing false misleading information within its screenshots about the fact that the application is using GoogleAI, which is not true. They want people to think their app has fancy Google artificial intelligence, but that’s a lie. Google hasn’t allowed anyone to use their AI in other apps yet. So, what the scammer is saying is definitely not true.
3. Abusive Technique Aimed at Ranking and Misleading Apple Mac App Store Users
In order to rank fast and outrank genuine developers the scammer had implemented a tricky and abusive way of requesting reviews from Apple users. They’re giving users rewards or gifts if they write good reviews, even though this breaks the rules set by Apple. Apple has these rules to keep the App Store fair, so reviews show what people really think about apps.
Apple App Store Guidelines
- 5.6.3 Discovery Fraud: Participating in the App Store requires integrity and a commitment to building and maintaining customer trust. Manipulating any element of the App Store customer experience such as charts, search, reviews, or referrals to your app erodes customer trust and is not permitted.
- If you attempt to cheat the system (for example, by trying to trick the review process, steal user data, copy another developer’s work, manipulate ratings or App Store discovery) your apps will be removed from the store and you will be expelled from the Apple Developer Program.
4. Misleading and Fraudulent Claims in the Paywall and Subscription Process
The application is using a fraudulent style of paywall where they try to get people to sign up by saying they’ll get something for free. But here’s the problem: there’s actually nothing genuinely free if you subscribe. This is like a classic trick called “bait and switch” in the digital world. It’s when something is advertised as really good (the “bait”), but when you get it, it’s not what you expected, and it’s not free at all. The scammer is using this trick to get people to sign up, but they don’t give the free stuff they promised, and this can make people feel disappointed and lose money.
5. Unauthorized collection of the Mac UUID without consent or a valid Privacy Policy in place.
The scammer is secretly collecting and using the Mac UUID from Mac computer users without asking for their permission. They should also have a clear Privacy Policy, but they don’t. The Mac UUID is like a digital fingerprint for a Mac, and taking it without permission is not right. It’s a problem because it goes against people’s privacy rights and makes us worry about the safety of our personal information. Since they didn’t ask for permission and don’t have a proper Privacy Policy, we don’t know what they’re doing with our data.
The Mac UUID is used for a so called “Authorization procedure” within the servers that are executing in the backend the calls to the OpenAI API. Also it is used to track the remaining amount of free questions a user still has before presenting the paywall.
Reported to Apple on September 13th, and no action has been taken thus far
The scam application in question was formally reported to Apple on September 13th, but disconcertingly, no discernible action has been taken by Apple in response to this report as of now.
Full email sent to Apple:
Dear Apple Review Team,
I am writing to report certain violations observed in the application named “GPT4 — AI Chat Robot Assistant” with the Application ID number 6449526044 — Mac Appstore. After a thorough examination of this application, I have identified several concerns that I believe need your attention and investigation.
1. Misleading Icon: The application employs an icon that appears to impersonate the official OpenAI logo. This deceptive use of branding is likely to create confusion among users, potentially leading them to believe that the application is affiliated with OpenAI when it is not.
2. Misleading Screenshots: The application’s promotional materials, specifically its screenshot video, imply that it utilizes GoogleAI capabilities. However, upon using the application, it becomes evident that it does not offer the services as advertised. This is a misleading practice that can misguide potential users.
3. Unauthorized Use of OpenAI Branding: The application employs the term “GPT4” in its title, which appears to infringe upon OpenAI’s branding guidelines. Unauthorized use of OpenAI’s branding can mislead users into thinking that the application is officially affiliated with or endorsed by OpenAI, when this is not the case. (OpenAI is allowing developers to use the terms like GPT, ChatGPT, or OpenAI in a phrase like “Powered by ChatGPT”)
4. Request for Application Ratings/Reviews with Promised “10 Free Credits”: The application encourages users to rate and review it while offering a supposed incentive of “10 free credits” for doing so. This practice raises concerns about the authenticity and credibility of user reviews and ratings and may be in violation of Apple’s guidelines regarding reviews and ratings solicitation. I have attached screenshots that clearly highlight these issues within the application for your reference. I believe it is essential to investigate these concerns to maintain the integrity and trustworthiness of the App Store ecosystem. I kindly request that you initiate a review of “GPT4 — AI Chat Robot Assistant” (Application ID: 6449526044) and take appropriate actions in accordance with Apple’s policies and guidelines.
Your prompt attention to this matter is greatly appreciated. Thank you for your commitment to ensuring the quality and authenticity of applications available on the App Store.
Sincerely,
Alex K
Conclusion
In summary, the dishonest activities I’ve talked about, like using fake company identities, abuse of the well-known trademark terms, abuse of the Mac App Store review system and taking user data without permission using Mac UUID, shows that even if Apple products are well built, there are plenty of things that needs to be covered. What’s more concerning is that it seems like Apple isn’t doing much when people report these scams. Apple should provide clear and fast tracks for people to simply report this kind of scams.
Apple needs to take care of its users and make sure the App Store is honest. Millions of people trust Apple, and to keep that trust, Apple needs to do better at protecting people, listening to reports, and stopping scams. Apple has always tried to be good, but these scams show that they need to do even better. As the online world changes, Apple has to change too, so people can use their stuff without worrying about scams and tricks. That’s the only way the Apple experience can be truly safe and trustworthy.