A multi-million dollar scam has swept across the iPhone App Store, duping users into paying out a fortune every week for virus protection apps which do not work.

Some of the bogus applications, which claim to scan iPhones and rid them of viruses, were caught charging unwitting customers $99.99 (£78.56) every week, earning developers tens of thousands of dollars each month.

Discovered and documented in a Medium blog post by app developer Johnny Lin, an iOS application called 'Mobile Protection :Clean & Security VPN' is backed up by seemingly fake App Store reviews and attempts to sign users up to a $99.99 weekly subscription during the setup of a so-called free trial.

Lin became curious when Apple recently declared it had paid out $70bn to developers in the App Store's lifetime, and that $21bn of that was in the last year alone. This huge spike encouraged Lin to look at the store's own list of the top grossing apps. Number 10 was Mobile Protection, which has since been removed from the store.

"Given the terrible title of this app," Lin writes, "I was sure this was a bug in the rankings algorithm." He looked up the app on Sensor Tower, a website providing data and insights into mobile apps, and found the suspicious app was earning a monthly revenue of $80,000.

Lin found several other apps playing the same trick, and estimates just 10 apps would have had the potential to earn $7.2m in annual revenue. Apple has since shut them down.

'A huge red flag'

Lin continued: "I tap into the app details to see that the developer is 'Ngan Vo Thi Thuy'...so this is a VPN service offered by an independent developer who didn't even both to incorporate a company? That's a huge red flag...a VPN basically routes all your internet traffic through a third party server. So in this case, a random person who couldn't piece together a grammatically correct title, who also didn't bother to incorporate a company, wants access to all your internet traffic."

Next came the "comically terrible" app description and a series of "vague, fake-looking" five-star reviews.

The app then, full of typing errors and vague language, offers up a 'free trial' which users confirm via the iPhone's Touch ID fingerprint scanner. But this doesn't just give them the free trial - it signs them up to a weekly $99.99 subscription, billed through their iTunes and App Store account.

It may seem obvious not to install such an application, but to reach the estimated $80,000 monthly target, the scammer only needs to dupe 200 people into subscribing for a month. The App Store estimates Mobile Protection was downloaded some 50,000 times in April alone. To reach 200 paying subscribers, the app only needs to trick 0.4% of users, Lin reasons.

This app isn't an isolated case, and because the App Store displays ads in paid-for adverts in a similar way to organic search results, developers can shoehorn suspicious, money-grabbing apps right into the spotlight.

Lin explains how unethical developers are abusing Apple's App Store Search Ads platform and "taking advantage of the fact that there's no filtering or approval process for ads, and that ads look almost indistinguishable from real results".

Since Lin's article was published on 9 June, Apple has removed the apps in question from the store. But if you were unfortunate enough to download one and begin an expensive subscription, here is how to cancel all future payments:

  • Within the Settings app go to iTunes & App Store -> Apple ID -> View Apple ID
  • Enter your Apple ID password or press against the Touch ID fingerprint reader when prompted
  • Tap Subscriptions
  • Tap on the subscriptions you want to cancel, then tap Confirm
  • After your current subscription period ends, you will be no longer billed