Gambling apps double-crossed the review systems in Google Play and the App Store by posing as a policy-abiding app. After bypassing the verification, the infringing functionality became available to users.
The apps made it into the Android official store in August but survived for a longer time in the iOS repository as some of them had been rated more than 100,000 times.
Bypassing the review systems
The App Store tightened its restrictions on apps with games that involve real money (lotteries, gaming, charity, digital commerce) and starting September 3, all such apps must include the code for this functionality in the binary, for Apple's review.
Similarly, Google accepts gambling apps in its Android store only in countries where they are legal (UK, France, and Ireland, for the moment).
Despite the restrictions, some developers managed to push apps that featured content that violates the policies of the two stores.
They created apps with functionality in agreement with the store requirements, such as weather tracking or entertainment. But they come with an API switch feature to control the availability of the illegal content in the app.
The accepted content is only a facade maintained until the app becomes available to users. Once it makes it to the store, the real content is loaded in a WebView. The real content is then delivered from a specific URL in a WebView.
"The app will query the specified address with its app ID. The corresponding response will be Base64 encoded," say the researchers.
Only a valid ID used to query the address would cause the illegal content to load. Otherwise, the app continues with its store-approved functionality on both iOS and Android.
Bypassing the store review processes has multiple stages that start with submitting the normal app to get past the initial review. Once it is in the store, the developer turns off the API and updates the app with a WebView.
This allows it to pass the post-update review and when the new version is in the store, the developer can turn on the API so users get the gambling content.
Some of the offending apps had been available even for as much as two years before getting the WebView implant.
The researchers did not see any malicious functionality resulting from these apps and using WebView to load the gambling site is the only improper activity they observed during the research.
Trend Micros believes that the developers actively promoted these apps to rank higher in App Store. On the Chinese marketplace, the researchers found the fake apps in the top 100 list.
On the surface, the apps' names and description are in tune with one another and do not betrays the policy-infringing behavior.
Using specific keywords, Trend Micro was able to find hundreds of results apps in disguise in iOS marketplaces for China, the U.S., and Japan. Most of the results, over 500, were in China, where gambling is illegal. A little over 200 were present in the US market.
Both Google and Apple were informed of the apps that violated store policies and removed them from the official repositories.