A kids’ game called “Jungle Run” that, until recently, was available in the Apple App store, was secretly a cryptocurrency-funded casino set up to scam people out of money.
Kosta Eleftheriou, who found the scam, is a tech entrepreneur and founder of the Apple Watch keyboard app FlickType who, it’s worth noting, is currently entangled in anti-trust litigation he filed against Apple in March.
He’s also developed a popular cybersecurity side hustle tracking down malicious apps lurking in the iOS store. His latest discovery was that Jungle Run, which was marketed in the App Store as a game for ages 4+, transformed into a crypto-funded casino when he set his VPN to Turkey.
He later discovered that the Jungle Run casino also worked when VPNs were set to Italy and Kazakhstan. He mused on Twitter whether it was available everywhere but the U.S.
“This is a creative method of social engineering to bypass Apple’s technical security controls,” Chris Morales, CISO at Netenrich, said via email. “Simple creative human intelligence beating machine learning. This is the same reason phishing still works and social engineering is the number one technique for attacks, not advanced malware.”
The same developer also had “Magical Forest Puzzle” on the app store, which used the same VPN trick to unlock a different casino.
This @AppStore app pretends to be a silly platformer game for children 4+, but if I set my VPN to Turkey and relaunch it becomes an online casino that doesn’t even use Apple’s IAP.
After Eleftheriou went to the press with the discovery and Gizmodo was able to verify and report that the Jungle Run app was indeed a shady casino posing as a kiddie game, Apple took the app down. But it had already been available for months, Eleftheriou added.
Once people follow the ad, they are taken to this App Store page. Notice the abundance of coins and the “Install and win” copy.
In order to pass App Review the app claims to be “a fun running game”, and in the US works like an extremely basic and very poorly designed kids game. pic.twitter.com/eb2PdyY0Cd
— Kosta Eleftheriou (@keleftheriou) April 15, 2021
Users Scammed by Approved iOS App Aimed At Kids
Eleftheriou said the Jungle Run reviews included complaints from users that they were scammed out of deposits and payouts.
“It’s impossible to know how much money these scammers have made from unsuspecting users, but such schemes make bank,” Eleftheriou added.
When asked how many of these scam apps he’s uncovered so far, Eleftheriouhe told Threatpost, “A LOT,” adding that he gets a steady flow of tips through an email address he’s set up to get leads.
“At this point, lots of people are tipping me about scams,” he said.
His goal, he told Threatpost, is to convince Apple to “…stop misleading users and developers.”
Apple has not responded to Threatpost’s request for comment. One of its former marketing directors however took to Twitter to express his feelings:
I believe @keleftheriou has brought an important issue about the App Store to a mainstream audience. I hope Apple gets its act together soon. The ecosystem that is often praised is breaking at the seams IMHO
— Michael Gartenberg (@Gartenberg) April 16, 2021
Malicious Mobile Apps Plague Official Stores
This revelation comes after a steady drip of malicious apps have been discovered, in not just the Apple App store, but also Google’s.
At the end of March a cache of “fleecewear” apps, which ultimately took in more than $400 in revenue, were discovered in both Apple and Google’s official marketplaces, including “slime simulators,” fortune tellers, filters and other functions largely marketed toward kids.
And just this month, a fake Netflix app in Google Play was being spread via WhatsApp. CheckPoint found at least 500 users had their WhatsApp accounts hijacked and used to spam other contacts to propagate the malware.
Pressure is mounting on these marketplaces to ramp up their security screening on apps before they are made available.
“Alternative app stores that focus on security rather than revenue would do a much better job than Apple,” Eleftheriou said. “The iPhone already has enough system-level protections to make this work, and Apple needs to drop the security theater that’s harming consumers every day.”
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.