This expert thinks he has found some major security flaws with the MacOS app store

A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.

(Image credit: Brett Jordan / Pexels)

Mac App Store users are at risk of fraud, as scammers find a way to trick the platform into accepting fake apps, an expert has warned.

The fake apps, pretending to replace some of the world’s most popular productivity solutions, are offered for sale on the repository, according to a report by security researcher Alex Kleber.

In his analysis, Kleber claims to have spotted five active Mac App Store accounts, all owned by a single actor, and all distributing fake apps.

False pretenses

These accounts offer apps such as “Work for Google Docs and Drive”, “Calendar for Google Calendar”, “Switcher for Chrome or Safari”, “PDF Editor for Adobe Acrobat”, and similar - all of which look as if they’re coming from official Google or Adobe profiles. The scammers even used original Google and Adobe icons for their solutions, in order to boost the apps’ legitimacy.

Kleber says he has been tracking the fraudster for years, and even reported them to Apple back in 2022, when the company removed seven of their accounts.

“Despite this, the developer managed to return and continue the same activities, spamming multiple developer accounts and using the same techniques to scam MacOS App Store users,” he said. Apparently, they are using multiple accounts to minimize the chances of all of the fraudulent apps being removed in one fell swoop.

“Techniques are employed to deceive users into purchasing applications under the false pretense that they are the original ones,” Kleber concluded. Some of the apps are designed so that the apps can’t even be closed unless the user purchases a subscription.

Briefly discussing how it’s even possible for such apps to make it into the repository, the researcher said the campaign demonstrates “how easy it can be to bypass the Apple Review team.”

TechRadar Pro has reached out to Apple for comments and will update the article when we hear back.

More from TechRadar Pro

Watch out for these fake messaging apps on Android — they could be spying on you
Here's a list of the best firewall software around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.