An examination of a scam app for macOS made by a bogus developer impersonating legitimate accounts reveals how the Mac App Store review system can be manipulated.
Spyware and malware is a continuing problem in computing, and Apple tries to keep things safe by maintaining security of the App Store and the Mac App Store. Naturally, bad actors then try to abuse those systems and to get around Apple's security features.
In a breakdown of techniques used by scammers, a post by Privacy1St on Medium explains what happened for one application that exploited a number of areas of the Apple ecosystem to progress.
The breakdown concerns an app called GPT4 - AI Chat Robot Assistant by SkyLink Tech.
The developer in question violated trademarks, manipulated the Mac App Store's system for reviews, and also created a fake developer account that duplicated a legitimate account's Data Universal Numbering System (D-U-N-S), a unique identifier for a business.
Getting fake accounts
The normal process for getting a developer account relies on the developer having an existing D-U-N-S number or to register for a new one via a recognized authority. This number is supplied along with contact information to Apple, which Apple then uses to confirm the registration's legitimacy.
However, Apple only really asks is whether the representative is legitimate and their name. This is raised in the report as being "streamlined," and less rigorous than other organizations.
Scammers use websites to sign up and get a company's D-U-N-S number without permission. When submitting the form, they include their own contact details, and then merely pretend to be the representative or owner of the impersonated company.
Beyond registration
Once signed up, the app being observed then uses techniques to earn trust from users, in underhanded ways.
For a start, the app claims to be related to OpenAI, the company behind ChatGPT, and uses names of products and similar-looking logos to present the app as being official. Or, at least to confuse users enough to believe they may be the real deal.
The apps then provide screenshots that outright lie, including claims it was building not only on OpenAI but also on GoogleAI. Google has yet to allow anyone to have ChatGPT-level access to its own AI systems.
Within the app itself, the app offers rewards and gifts to users for writing good reviews on the Mac App Store, since good reviews help encourage others to download apps. The problem here is that the rewards for good reviews are against Apple's App Store rules, under terms for Discovery Fraud.
The app also misleads about a paywall, telling users they will get free usage but that they won't actually get what was promised. In the app's case, it would unlock "OpenAI Training" and more features.
As well as more obvious issues, it was found the app was secretly collecting the Mac UUID without asking for permission. In this instance, the Mac UUID is used to keep track of calls to the OpenAI API.
Nothing's been done
Despite discovering the app and reporting it to Apple on September 13, the app is still available on the Mac App Store, and no action has been taken, the report claims.
In summary, the report claims that the various issues with the app "shows that even if Apple products are well built, there are plenty of things that needs to be covered. What's more concerning is that it seems like Apple isn't doing much when people report these scams."
"Apple should provide clear and fast tracks for people to simply report this kind of scams."
This is not the first time that Apple has been called out over the Mac App Store's relaxed security. In April, a similar report discussing scam apps was published, covering many of the same areas of the new one.