Fake iPhone app snuck through Apple approval process
Security experts can't tell whether bogus Camera+ was malicious
By Gregg Keizer | Computerworld US | Published: 14:30, 24 January 2012
Apple let a fake app slip through its approval process for the iOS App Store, the makers of the popular Camera+ program said over the weekend.
Security researchers who noted the slip-up did not know whether the bogus app contained malware because they had been unable to grab a copy before Apple yanked it from the App Store.
On Saturday, the iPhoneography blog announced that a new App Store entry was fake.
Related Articles on Techworld
The App Store listing touted Camera+ version 4.0, and listed the price at $0.99.
Although the real Camera+, created by Tap Tap Tap, is sold for the same price, it's only at version 2.4.
iPhoneography's Glyn Evans contacted Tap Tap Tap, who confirmed that Camera+ 4.0 was phony.
"Oh, Apple and your all too often disappointing approval process," said Tap Tap Tap on Twitter Saturday.
Tap Tap Tap has butted heads with Apple before: In 2010, Apple yanked Camera+ from the App Store in a dispute over a violation of Apple's developer agreements.
No idea if fake app was malicious
Apple later restored Camera+ to its app distribution channel.
UK security company Sophos noted the fake Camera+, but said it couldn't tell whether the app had a malicious purpose.
"We haven't been able to get our hands on a copy of the bogus app, so we cannot confirm if it contained any malicious functionality," said Graham Cluley, a Sophos senior security consultant, in a blog Monday . In a follow-up email, a Sophos spokeswoman said the company believed it was probably created to siphon money from Tap Tap Tap's sales.
The fake Camera+ used graphics identical to the real deal to promote the program on the App Store.
According to that entry - which was still available Monday via Google's search cache - the bogus Camera+ was released on Saturday, 21 January by a Hiep Nguyen of a company called Pursuit Special.
Later that day, Apple pulled the illicit Camera+ from the App Store, Tap Tap Tap confirmed on Twitter.
Apple's gaffe was notable since most security experts consider the iPhone platform more secure from hacker misuse because Apple vets each app before allowing it into the App Store, unlike Google.
How did the Camera+ error happen?
Google's Android Market has been plagued with bogus apps, many of which contain some kind of malicious functionality. Last month, for example, Google scrubbed 22 malware-infected apps from its official e-store.
Cluley wondered how Apple could have screwed up.
"But questions still remain as to what went wrong with Apple's approval process," Cluley said. "After all, Camera+ is currently the 14th best-selling app in the App Store - Apple should surely recognise if someone other than Tap Tap Tap tries to submit it to the store."
As of mid-day Monday, Camera+ was actually No. 7 on Apple's bestseller list of paid iPhone apps. Apple did not immediately reply to questions Monday.