Apple confirms the scale of App Store fraud

Apple says millions of fraudulent attempts are made against the App Store and its users each year. The company prevented $1.5 billion in fraudulent transactions in 2021, it said, in line with similar levels of fraud in 2020.

How people attempt to commit App Store fraud

The company explains how fraudsters attempt to commit fraud via the store.

These attempts span the gamut from relatively unsophisticated attempts to make purchases using stolen or fraudulent credit cards to more complex scams consisting of apps that otherwise work fine but quietly gather data or carry malware to trick or defraud users.

Attempts to smuggle malware into apps to perform on-device fraud are intensifying in 2022. It is worth noting that there has been an increase of over 40% in malware  attempts against Android to perform on-device fraud so far this year, which shows that Apple’s concern is justified.

Apple has rejected tens of thousands of apps, including apps with hidden code and misleading, copycat, and privacy abusing apps. Millions of attempts to create fraudulent customer or developer accounts are made each year, the company said, while 3.3 million stolen credit cards have seen attempted use.

The scale of review fraud

Review fraud — in which competitors file illegitimate ratings and reviews to suppress sales of competing apps or to encourage users to download untrustworthy apps — also gets a mention.

Apple says over a billion ratings and reviews were made across 2021, and Apple had to detect and block over 94 million reviews and 170 million ratings for “failing to meet moderation standards.” Apple also ditched 610,000 reviews after publication following complaints and subsequent evaluation.

That data suggests the scale of review fraud is relatively high, as it hints that a very large percentage of the billion ratings and reviews made each year are at fault.

App Store developers have complained about this practice for years, and the data Apple has released justifies that concern. Having said that, this also suggests the risks of review fraud would be far, far higher if the App Store were left unmoderated.

Apple wants to protect its App Store business

We know that part of the reason the company is sharing this information is to justify the fees it levies against some developers for selling apps via its store. Apple continues to pull together data to support the way it runs the App Store business, and fraud detection at the level Apple explains does not come cheap. While other app stores may levy lower fees, do they offer the same security or user experience? What happens in the event Apple cannot?

[Also read: Why Industry 4.0 must think more like Apple]

Apple really wants regulators to think again on plans to force sideloading of apps and other poorly thought out proposals that would serve to dilute the security and safety of its platforms. In that context, the company likely seeks data to show the extent to which its products are today used across highly confidential and strategically essential industries.

What use are network and endpoint protection systems when the platforms themselves are made inherently insecure? How can any enterprise remain confident in their increasingly digital processes in the event their devices carry government-mandated backdoors?

These important questions need to be rigorously answered before any decisions are made.

That the App Store experiences fraudulent activity at the level it has described should give regulators pause for thought before imposing rash remediation, particularly as criminals become increasingly creative in apps, app services, and the growing potential for ID fraud.

Older devices are at most risk

Fraudsters are also targeting older mobile devices, according to a NICE Actimize study. That study found banking fraud attempts increased by 41% in 2021, with devices running operating systems made prior to 2016 three times more likely to be victims of fraud.

Approximately 4% of 2.5 billion currently active Android devices run at-risk iterations of that OS, in comparison with just 2% of iPhone users who run an OS over two years old. (The number of iPhones running 2016 versions of iOS is incalculably small).

However, any move to dilute the security iOS enjoys could make many more of us vulnerable, and the introduction of a non-curated app store would do just that.

More news at WWDC?

Apple’s decision to publish information concerning its work to battle App Store fraud just days before it hosts its annual developer event sends a message that the company will continue working toward its goals around privacy and security across its mobile ecosystem. Most recently the company announced that it will evict older apps that have not been updated for three or more years from the App Store.

Given the scale to which App Store fraud is taking place, this seems a sensible move to help protect users against inadvertent use of apps that may still contain exploits or vulnerable code.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.