How a fake video streaming app tricked Apple into giving it an App Store listing

We often hear about malware being discovered on an Android app that somehow managed to escape the Google Play Protect layer of protection. Last year, malware was downloaded from the Google Play Store over 600 million times according to cybersecurity firm Kaspersky. Apple also gets fooled by developers looking to pull the wool over the company's eyes to obtain a listing in the App Store.

An app, recently removed from the App Store by Apple, was able to trick the App Store Review team to gain a listing in the iOS app storefront which it held for years. The developer employed the old 'UI switcheroo' technique. The app, titled "Collect Cards: Store box" appeared on the surface to be an app where an iPhone user might store and manage photos and videos. So far so good although we do note that the native Photos app and the Google Photos app are both outstanding on iOS.

The App Store listing for the app didn't reveal much about it and the screenshots seemed to confirm that the app was designed to store users' photos and videos. But the "Collect Cards: Store box" app had a secret dark side that helped it become the second most downloaded free app in the Brazilian version of the App Store. That alone should have set off some alarms inside Apple since you wouldn't expect a rather plain-looking photo and video storage app to gain "must-have" status in one country.

Sure enough, the app would first determine the location of the user before fully loading. In the U.S., the app would load the basic UI of a photo and video storage app. In other regions, like in Brazil, the app was a pirate streaming service showing content from Disney+, Netflix, Amazon Prime Video, and HBO Max. To really rub salt in the wound, the app even displayed content from Apple TV+.

When Apple was vetting the app in the U.S., all it saw was a mild-mannered photos and video storage app. In other markets where Apple didn't look, the app turned into an evil super anti-hero disseminating streaming content that the user usually had to buy in order to view. Apple did take down "Collect Cards: Store box" after 9to5Mac ran a story on the app and we hope that Apple has made a change to its app vetting process so, as the Who once sang, it won't get fooled again.