Editors Note: This article began with details of one specific app developer hacking iTunes users accounts and purchasing their own apps using those accounts – making it to the top of the iTunes charts. As the story has developed it appears to be far more widespread than just that one particular developer and his apps…the Apple App store is filled with App Farms being used to steal. We’ve put together a complete list of all the facts and updates to this story here which we high recommend you read instead of this article. Apple has also now released a statement about the matter.
Two iPhone App developers have spotted what appears to be a hacking of the App store rankings by a rogue developer. The rankings in the books category of the US iTunes store features 40 out of 50 apps by the same app developer, Thuat Nguyen.
What’s more concerning is that it seems individuals iTunes accounts have been hacked to make mass purchases of that one developer’s apps. (Update: this does not appear to just be one specific developer nor one particular set of apps any more. Details at the foot of this post.)
One look at a screenshot of some twitter search results above or this MacRumors thread should ring alarm bells – there is a problem. What’s more concerning is that these are only the people reporting it on twitter and forums, plenty would not have.
A screenshot of the books category on iTunes below should illustrate the extent of the problem. How has a developer managed to hack enough iTunes accounts to buy the number of apps required for each to dominate the paid books category on iTunes?
Some users who have had their accounts hacked have left comments on the apps they have supposedly bought complaining that up to $200 has been spent on apps they’d never personally bought themselves. (update: we’ve now heard reports of $600+ spent on some users accounts, more details at the foot of this post)
There are other comments clearly from the app developer himself, giving positive reviews in an attempt to draw attention away from the other comments.
Both the support and company links for the company in iTunes take you to a Home.com URL with nothing but a holding page. Also Google Search results for Thuat Nguyen do not provide any concrete details as to who the individual or company is.
Clearly when one developer completely dominates the ranking in a particular category, other app developers suffer but when it happens by means of hacking end users accounts – it’s a serious concern that leaves everyone involved suffering. Developers don’t get the recognition they deserve, users are being robbed and left with a poor user experience, while Apple is left with a tarnished brand and left with a lot of explaining to do. Why does Apple not have mechanisms in place to detect when previously unpopular apps from the same developer flood the top rankings?
When some apps are left waiting weeks for approval only to be rejected by Apple for minor objections, how does a company with no website, no description and apps that are literally swarming iTunes escape punishment? More importantly, how has someone managed to hack users’ accounts and left many, we can only assume, unaware they’ve been robbed?
What you should do now.
For now, we can only recommend you check your recent purchases, remove your debit card being stored on iTunes and change your password immediately. When we have more recommendations you can be sure you’ll hear from us.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
We’re interviewing a number of people who have had their accounts hacked and used to buy apps. Worryingly they aren’t just apps from this developer.
Reader Jamie Vickery, a UK based iTunes user discovered a number of apps had been bought using his account. This does not appear to be a US specific issue any more.
“I’ve just noticed my iTunes account has been hacked in the past week. Someone has downloaded 8 apps and two songs totalling £61.70. The most expensive being an app called All Match by CharismaIST for £54.99! The other apps seem to be based on photographer like Camera One, Night Shot, Camera Flash Ultra. Surely Apple won’t pay out to these developers. I have changed my password and put in an email complaint to iTunes so we’ll see how it goes.”
More reports. Users in the MacRumors forum claiming their accounts have been hacked and used to purchase apps. Two examples:
“Yesterday my credit union contacted me saying there was suspicious activity on my debit card. Sure enough over 10 transactions in the $40-$50 area all on iTunes equaling to $558”
“I also received a receipt via email on my “Purchases” on 7/2/10. I made the mistake of storing my debit card on the itunesstore app. I have run into the exact same responses that other users are reporting–only email as a method of contact.
That response was to tell me how to change passwords, etc. – stock answers and to also tell me of no refunds. I was an internet technician for years so the iTunes advise was second nature for me but with little hope for “fixing” the issue since I believe that the breach was on the iTunes server.
Thankfully, I carry a smartphone with my email setup on it, so I received the invoice quickly. Most of the 15 purchases where for items that I don’t even own i.e. iphone (I have a blackberry) and ipod (I’m 47 and I still use a radio for my music). I was able to verify the $70.15 charge via mobile banking and immediately called my bank. The transaction was in the processing stage and I think my bank was able to refuse it–I’ll see after the holiday weekend. With my card canceled, the additional $20+ charge was unable to be authorized.
I noticed reading the comments that someone was starting a class action suit, there are enough victims to be able to makeiTunes responsible for this.
I will not take this laying down–I’ve filed a police report and filed a complaint with the Better Business Bureau and if I can afford it–I want to be included in the class action suit if it was started. I am currently trying to figure out how to get the news media notified of this scam. “
A succinct list of facts and updates to this story can be found here.
Apple has now released a statement about the matter.