A malicious ‘Jungle Run’ app tricked security protections to make it into the Apple App Store, scamming users out of money with a casino-like functionality.
A kids’ game called “Jungle Run” that, until recently, was available in the Apple App store, was secretly a cryptocurrency-funded casino set up to scam people out of money.
Kosta Eleftheriou, who found the scam, is a tech entrepreneur and founder of the Apple Watch keyboard app FlickType who, it’s worth noting, is currently entangled in anti-trust litigation he filed against Apple in March.
He’s also developed a popular cybersecurity side hustle tracking down malicious apps lurking in the iOS store. His latest discovery was that Jungle Run, which was marketed in the App Store as a game for ages 4+, transformed into a crypto-funded casino when he set his VPN to Turkey.
He later discovered that the Jungle Run casino also worked when VPNs were set to Italy and Kazakhstan. He mused on Twitter whether it was available everywhere but the U.S.
“This is a creative method of social engineering to bypass Apple’s technical security controls,” Chris Morales, CISO at Netenrich, said via email. “Simple creative human intelligence beating machine learning. This is the same reason phishing still works and social engineering is the number one technique for attacks, not advanced malware.”
The same developer also had “Magical Forest Puzzle” on the app store, which used the same VPN trick to unlock a different casino.
After Eleftheriou went to the press with the discovery and Gizmodo was able to verify and report that the Jungle Run app was indeed a shady casino posing as a kiddie game, Apple took the app down. But it had already been available for months, Eleftheriou added.
Users Scammed by Approved iOS App Aimed At Kids
Eleftheriou said the Jungle Run reviews included complaints from users that they were scammed out of deposits and payouts.
“It’s impossible to know how much money these scammers have made from unsuspecting users, but such schemes make bank,” Eleftheriou added.
When asked how many of these scam apps he’s uncovered so far, Eleftheriouhe told Threatpost, “A LOT,” adding that he gets a steady flow of tips through an email address he’s set up to get leads.
“At this point, lots of people are tipping me about scams,” he said.
His goal, he told Threatpost, is to convince Apple to “…stop misleading users and developers.”
Apple has not responded to Threatpost’s request for comment.
Pressure is mounting on these marketplaces to ramp up their security screening on apps before they are made available.
“Alternative app stores that focus on security rather than revenue would do a much better job than Apple,” Eleftheriou said. “The iPhone already has enough system-level protections to make this work, and Apple needs to drop the security theater that’s harming consumers every day.”