You are here

You are here

There are no good app stores. Not iOS nor Android. Change my mind

Richi Jennings Your humble blogwatcher, dba RJA
A QR code being scanned by a smartphone-wielding user

Apple and Google are under fire yet again for allowing scam apps into their curated app stores: Apple for permitting useless clone apps that sneakily charge recurring fees, and Google for not dealing with once-good apps that go rogue.

There are no good app stores. There, I said it. Change my mind.

It’s all about the mighty dollar. In this week’s Security Blogwatch, we follow the money.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: BOOM.

A plague on both your houses

What’s the craic? Dan Goodin reports—Android barcode scanner with 10 million+ downloads infects users:

Barcode Scanner, one of dozens of such apps available in the official Google app repository, began its life as a legitimate offering. Then in late December … ads were opening out of nowhere. … An update delivered in December included code that was responsible for the bombardment.

Google [has] removed the app. … So far, however, Google has yet to use its Google Play Protect tool to remove the app from devices that had it installed. … Anyone who has a barcode scanner installed on an Android device should inspect it.

How can we tell? Thomas Claburn explainifies—Barcode scan app amassed millions of downloads before weird update:

Barcode Scanner, distributed by a London-based company called LavaBird, received an update on December 4, 2020, that appears to have introduced the code in question. … LavaBird's now-banished Android app shouldn't be confused with ZXing Team's Barcode Scanner that remains in the Play Store.

LavaBird … is run by Dmytro Kizema, a resident of Ukraine. [It] was incorporated in March, 2020 [but] those involved appear to have been using variations on that name for several years and have other apps that they use to sell traffic to advertisers.

Who discovered it? Nathan Collier slightly over-hypes the scale of the problem—Barcode Scanner app on Google Play infects 10 million users with one update:

Late last December we started getting a distress call. … One patron, who goes by username Anon00, discovered that it was coming from a long-time installed app, Barcode Scanner. An app that has 10,000,000+ installs from Google Play.

We predict … the update occurred on December 4th. … Malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. … We confirmed it had been signed by the same digital certificate as previous clean versions.

It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. … Because there are so many other legitimate barcode and QR scanners on Google Play, [here’s the] app information:
Publisher: LavaBird LTD
App Name: Barcode Scanner
MD5: A922F91BAF324FA07B3C40846EBBFE30
Package Name: com.qrcodescanner.barcodescanner.

As opposed to other apps with the same name? Thus spake marsilies:

I use an app called "Barcode Scanner" that's not the malware app. However, the recent reviews blast it for adware, which I haven't noticed. I think having the exact same name has caused some people to post negative reviews on the wrong app.

As wooped wooptoo, too: [You’re fired—Ed.]

This is possibly tied to the recent assault on the ZXing Barcode scanner app. This is a legit open source app that's been recently flooded by 1-star reviews claiming that the app contains malware, probably in order to get users to switch to the other apps.

The funny thing is this app has not been updated since 2019 on the Play Store, so those reviews are clearly bogus. It takes a special kind of scum to slander an open source project in order to push malware.

And this problem isn’t unique to Android. Tim Hardwick explains—Scam iOS Apps Still Raking in Millions in Revenue on App Store:

The problem of scam iOS apps has dogged Apple's App Store for some years now. … Scammers prey on and exploit the work of genuine app developers. … The developer Kosta Eleftheriou has taken to Twitter to highlight that the problem remains as big as ever in at least some app categories – and also offered iOS users a way to spot them.

According to Eleftheriou, there are several clones of his … app, but one of the most clear non-functional rip-offs … launched with a blank interface and an "Unlock now" button. Tapping the button prompted users to confirm an $8/week subscription—for an app that doesn't do anything.

[He said] the scam achieved prominence in the App Store by gaming Apple's algorithmic ranking system through the purchase of fake ratings and glowing five-star reviews, which bumped it up to the top of its app category. It even advertised its software using his own promotional video.

Old news, I hear you cry? alex331 counts the days:

It's been a week since this issue [was] highlighted. And a week since Apple still hasn't said a single thing. This is sad.

IANAL, and neither is Anubis IV:

Not a lawyer here, but it even seems as if there may be a case for fraud. … If they're stealing someone else's videos, posting them as their own, delivering a non-functioning app, and charging users $8/week for the privilege of using said app, the App Store might be well-served by Apple going after them in court.

Cui bono? With an eye on Apple’s 30%, ekurutepe blames Tim Apple:

I'm sure Apple wants to do the right thing but they've set themselves up badly from the top down in this case: Tim Cook has been promising (and delivering) services revenue and subscriber count growth since 2016. If your employer says services revenue growth is the most important thing, people do respond to incentives even if they're aware of it or not.

Meanwhile, what’s the best way to curate an app store? arglebargle_xiv comment YOU:

Google method is much more economical. Google asks Google Play authors, "Are you Russian hacker?" and if reply is "Nyet!" then app gets approved.

The moral of the story?

Watch out for scam clones of your app, and for bad reviews targeting similarly named apps.

And finally

Don’t try this at home, kids

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Proxyclick (via Unsplash)

Keep learning

Read more articles about: SecurityInformation Security