[HN Gopher] Scammed by the top result for 'Bitcoin wallet' in Ap...
___________________________________________________________________
Scammed by the top result for 'Bitcoin wallet' in Apple App Store
Earlier today I decided to switch my Android for an iPhone. After
moving all my apps I decided to make the jump and move my bitcoin
from the android wallet. I searched for 'bitcoin wallet' on the
Apple App Store, installed the first app I saw (as far as I could
tell, looks legit), transferred bitcoin, and it immediately got
sent off. Turns out this app was previously reported at least 12
days ago as a scam ( https://www.reddit.com/r/Bitcoin/comments/1b3q
5wr/fake_wallet_on_apple_app_store/ ) but its still up there, #1
search result. I get that I've failed to vet the app but honestly,
how does a scam app become the #1 organic search result (not
promoted) in the app store, topping binance, blockchain.com, and
coinbase? EDIT: linking to a screen recording that includes this
post and comments of no repro: Before removing the app -
https://streamable.com/q2mulu After removing the app -
https://streamable.com/y5nhy7
Author : habeanf
Score : 49 points
Date : 2024-03-12 21:36 UTC (1 hours ago)
| roflchoppa wrote:
| It's crazy that you can leave reviews from within the App Store,
| nor can you report it to Apple from within the App Store.
| habeanf wrote:
| You're right, and I've done both. My review doesn't appear in
| the list of reviews.
|
| What's crazy is that a scam app is the #1 organic search result
| for 'bitcoin wallet', above blockchain.com and coinbase.
| saalweachter wrote:
| (1) How much more valuable do you think it is to the scam app
| developer to appear at the top of the search results than for
| a legitimate wallet developer?
|
| (2) Do you think a legitimate wallet app will engage in the
| same black-hat SEO tactics a scam app developer will?
| openthc wrote:
| I thought the Apple platform had the best consumer experience and
| that's why folk love it -- it "just works" -- cause they keep the
| riff-raff out of their gated community.
|
| Perhaps they let this one slip through because their team was too
| busy dragging out the review process for our cannabis compliance
| application, they can only afford so many reviewers after all. We
| wouldn't want children accidentally getting their hands on
| regulatory compliance data for deadly deadly cannabis. (which
| could happen with our application, after they had signed up and
| verified their agency cannabis license (which only takes many
| months/years and $$$$$s to get))
| andrei_says_ wrote:
| It did - before cheapo enshittification started creeping in. I
| believe some time ago I saw some research on the quality of App
| Store app review process ... zero protection.
|
| But, even at this stage, Apple is still "the best", because of
| the slower pace of the corruption and in comparison to the
| toxic dumpster fire of the alternatives.
|
| Android and Windows are spyware/malware masquerading as OSs.
| refulgentis wrote:
| This is incorrect unless you're shifting topics to whether we
| trust MS, Apple, or Google's data collection more.
| pie420 wrote:
| Apples app store is way worse than the google play store. i was
| shocked at how bad the app store is with shitty ads and
| promoted content over organic search results
| KomoD wrote:
| > does a scam app become the #1 organic search result (not
| promoted) in the app store
|
| It's possible that it's just because it was literally called
| "Bitcoin Wallet", an exact match for your search, or boosted by
| fake reviews, or it was actually an ad that you didn't notice.
| Though it shouldn't have gotten past review at all
|
| But I don't really understand why you'd blindly trust some random
| app?
|
| Also, would be interesting to take a look at the app, sadly know
| nothing about ios apps or how to get the IPA, only android.
| habeanf wrote:
| You're right, I shouldn't trust a random app. Also, it's pretty
| much my first serious foray into Apple land. I trusted Apple's
| search results. There are multiple apps, far more mature and
| backed by serious developers, that would also match the phrase
| "Bitcoin Wallet".
|
| The question is why is the scam app the #1 organic search
| result? For a new app with such scammy reviews and questionable
| metadata I would expect it to be #30 in the list. For context,
| the app store reports the scam app as #85 in all finance apps.
| yosef123 wrote:
| So much for Apple "security"
| fingerlocks wrote:
| No repro. Same search string gives me the Bitcoin.com and the
| Coinbase app at the top. Scrolled through several dozen wallet
| apps and the one in the Reddit link never surfaced.
| habeanf wrote:
| I just took a screenshot of the app store about an hour ago:
| https://pasteboard.co/bZ7qQvAzYggy.png
| fingerlocks wrote:
| Yeah, at the top because you already have it downloaded
| habeanf wrote:
| Fair enough. I removed it and recorded the screen again:
| https://streamable.com/y5nhy7
| habeanf wrote:
| Here is a screen recording including this hacker news post +
| your comment & and a switch to the app store with the search
| phrase. The first result is the scam app. I scrolled down so
| you can see where serious apps are in the list of results.
| https://streamable.com/q2mulu
| blibble wrote:
| I don't think I've ever searched for something on the app store
| and not got a scam as the first result
|
| just tried it - my bank? I get crypto.com
| - train company app? knockoff app that charges extra fees
| - my broker? CFD gambling app - official government app
| for paying my tax? intuit product
|
| I dare to think how many people this lures in
|
| scammy ads plastered everywhere is what I'd expect from Google
| products
|
| not for the Apple equivalent that commands a significant price
| premium
| habeanf wrote:
| In hindsight, this is quite obvious. Coming from years of using
| Google Pixels I just got used to trusting the search results.
| I've never hit a fraudulent app when searching in the Play
| Store. I trusted apple that at least the top 5 results would be
| legit. EDIT: added the word 'top' at the end
| RulerOf wrote:
| This has been a very noticeable problem to me for some time.
|
| I won't search the App Store anymore. I go to the web site for
| the app I want and get the App Store link that way.
|
| I wish the App Store listings would specify the domain of the
| entity they come from in plain text, backed by a validation
| method similar to what we do for TLS certs.
| echoangle wrote:
| Can you share some search terms you tried? I never had this
| problem, but I'm also not in the US so it might be different
| here
| pushcx wrote:
| Pretty much every brand or app I search for finds a
| competitor first. Searching for "robinhood" turns up an
| unaffiliated cryptocurrency app and "macrofactor" turns up a
| competing diet app, etc. App store search has been broken for
| at least a few years.
| kylecazar wrote:
| Especially given they use enhanced security as an excuse so
| often
| echelon_musk wrote:
| Why did you have to transfer bitcoin? Surely you would just load
| your private key into the app unless I'm missing something.
| habeanf wrote:
| Honestly, I got lazy, and that's on me. I was using the
| standard bitcoin wallet app on android. It did seem weird I
| can't restore the wallet I backed up in the android app, but
| the android app github doesn't point to an app store app, so I
| figured there just isn't and the android app's backup format is
| something detached.
|
| Then I figured a legit apple app could generate a wallet and I
| could transfer the bitcoin between them. Which is what I did.
| The apple app indeed received it and promptly sent it off
| somewhere else. What's even crazier is that the apple app shows
| this info! You'd expect the scammer to hide the scam but I
| suppose it just made it easier to pass the app store
| inspection.
| tapland wrote:
| What was the justification for the app store ecosystem?
| Shosty123 wrote:
| That's actually quite worrisome. I don't really think twice about
| downloading the top result for things like PayPal or local
| banking apps if I get a new phone, for example.
| ilamont wrote:
| Promoted results in Google are loaded with scams. According to
| one recent report, 75% of brands are affected
| (https://searchengineland.com/google-search-ads-brands-
| fraud-...):
|
| _The researchers who conducted the report found that retail
| giants such as Amazon, American Airlines, Lego, Pizza Hut, and
| Samsung were all victims of identity fraud within Google Search
| Ads._
|
| Here's a Google SERP for "Facebook" which shows Facebook as the
| URL, redirects to an Apple security scam:
| https://youtube.com/shorts/gTEuqXYAp58?si=lzFV9mfX31_8nzd1
|
| Google even vouches for the advertiser:
|
| https://twitter.com/leanmediaorg/status/1724467969344905534/...
| habeanf wrote:
| It wasn't a promoted result, it's an organic search result, and
| it's still there!
| klabb3 wrote:
| That's insane, and news worthy. Imagine non-techies just trying
| to go about their day and getting that.
|
| But hold on a sec. Is this verified by others? The guy in the
| video cuts to a screenshot, which doesn't show the resulting
| url or how he got there, so it's hard to tell what happened.
| ilamont wrote:
| Two versions of the video. This one shows the click:
| https://youtube.com/shorts/dXZQMkPJkXg?si=hsL8fUirHZj3DMG5
| swatcoder wrote:
| When I perform your search, I get legitimate results at the top,
| and I don't see the _specific_ app from the Reddit thread. But
| about at about rank #7, I see an app that uses a distorted form
| of the same logo, a different unfamiliar publisher, a slightly
| altered title and a similar smattering of only a few reviews.
|
| It sounds like somebody is burning developer accounts to keep
| reposting the scam app. Not unlike people being banned from a
| website and then resubscribing with a different email or through
| a VPN or whatever. It slipping through into your results isn't so
| much plain neglect as it is an arms race that Apple is on the
| losing side of this time.
|
| Robust algorithmic ranking and moderation at scale is a myth,
| though, and you can find this happen pretty much everywhere. This
| one will probanly get squashed with some near-term update to
| their algorithm, and then get compromised again sometime later
| since crypto is so ripe for scamming.
|
| You can't escape personal due diligence and "it was top ranked!"
| has never been that.
___________________________________________________________________
(page generated 2024-03-12 23:00 UTC)