Wolf in sheep’s clothing
From the moment I let my kids start playing with tablets and smartphones, I required them to check with me before they downloaded an app. One is about to start high school and the other will be a teenager at the end of the year, so I have become much more lax and trust them to be smart (which I shouldn’t) and at least ask me if they aren’t sure about something. Fortunately, as far as I can tell, they haven’t done or downloaded anything stupid, so fingers crossed. But some kids around the world haven’t been as lucky, as it turns out a kids’ game on the Apple App Store magically turns into a scam crypto casino depending on where you are located.
The shocking discovery was made by Kosta Eleftheriou, founder of the Apple Watch keyboard app FlickType and part-time malicious app sleuth. The app in question is called Jungle Runner, available for iOS, right there in the App Store. Marketed to little kids, the game is just a simple, piece of crap, side-scrolling running game where you are a monkey who collects coins while avoiding obstacles. And when I say piece of crap, I mean it is far worse than even the shittiest “runner” game you have ever played. My 12-year old has taught himself to make better games than this and all of his are just in the “let’s see if I can figure out how to make this thing move and shoot” phase.
But the point of Jungle Runner isn’t to be a good game. When Eleftheriou turned on his VPN to make it look like he was in Turkey, the app was no longer a kids’ game, but rather a cryptocurrency casino touting deposit bonuses.
App gets around App Store security
Eleftheriou found that the same thing happened if he tried other countries with his VPN, such as Italy and Kazakhstan. Of course, the casino face of Jungle Runner is an unlicensed online casino and would not normally be permitted in the App Store, but it seems that the developer got around this by not connecting the casino to Apple’s IAP. The casino seems to just run in a web browser, but it gets on people’s phones and tablets via the Jungle Runner game.
Negative reviewers of the app complain that they deposited money because they were promised a bonus, but never received their funds. That shouldn’t be surprising – the casino is almost certainly a complete scam.
Gizmodo posted a video to show what it looks like when someone tries the Jungle Runner app from Turkey (or a VPN version of Turkey).
“This is a creative method of social engineering to bypass Apple’s technical security controls,” Chris Morales, CISO at Netenrich, told Threatpost. “Simple creative human intelligence beating machine learning. This is the same reason phishing still works and social engineering is the number one technique for attacks, not advanced malware.”
After Eleftherious posted about his findings on Twitter, Apple finally took the app down. The same developer also had “Magical Forest Puzzle” in the app store, which leads users to the same crypto casino.