App Store Fraud: Apple stopped $2 billion in fraud, killed 282 million accounts, rejected 1.7 million apps
Apple says it deleted 282 million fraudulent customer accounts, 428,000 fraudulent developer accounts, and blocked more than $2 billion in fraudulent transactions in 2022. That’s a new record: up from the $1.5 billion in app store fraud Apple says it blocked in 2021.
App store fraud can take a lot of forms.
Fake apps from scammy developers can have fake users who generate fake activity to earn money from ad placements. Other fake apps might have more nefarious purposes, such as stealing people’s personal information. Most app store fraud that Apple’s referring to here, however, is in-app purchase fraud, which can take the form of using stolen credit cards to make fraudulent purchases. Alternatively, bad actor apps can employ deceptive tactics to trick users into “buying” items they never intended to, including expensive subscriptions that keep charging credit cards every month.
Apple says that for payment and credit card fraud alone, it blocked:
- 3.9 million stolen credit cards
- 714,000 accounts
- $2.1 billion in potentially fraudulent transactions
Legitimate app developers and publishers, of course, care deeply that the App Store — and Google Play on the Android side — is seen as a safe place to buy things. They also care that criminals don’t use their apps for money laundering.
(Think building up a massively powerful Clash of Clans account through IAPs, then selling the account. Or booking fake stays at fake Airbnb homes.)
App Store fraud: 1.7 million app submissions rejected
In the mobile community it’s common to hear about legitimate app publishers who have trouble getting their apps published, and there are real concerns here. But we don’t often hear about the positive side of the App Store submission process, which is exactly what keeps a massive amount of fraud and danger off people’s iPhones.
Apple says its teams review 100,000 app submissions a week, which means much of the review must be automated. In 2022, 1.7 million apps were rejected.
Some of there were legitimately dangerous:
“In more than one case this year, App Review caught apps using malicious code with the potential to steal users’ credentials from third-party services,” Apple says. “In other instances, the App Review team identified several apps that disguised themselves as innocuous financial management platforms but had the capability to morph into another app.”
Apple removed almost 24,000 apps for bait-and-switch tactics last year.
Another 153,000 were copycat or spam apps, and another 29,000 contained hidden or undocumented features, Apple says. Once one app from a developer account is found to be fraudulent, all apps from that account are removed, and Apple says it terminated 428,000 developer apps in 2022.
Interestingly, Apple also says it also blocked apps from third-party app stores:
“In 2022, Apple protected users from nearly 57,000 untrustworthy apps from illegitimate storefronts, which do not have the same built-in privacy and security protections as the App Store. These unauthorized marketplaces distribute harmful software that can imitate popular apps or alter them without the consent of their developers.”
Another avenue fraudsters use is the Apple Developer Enterprise Program, designed so that companies and organizations can build and distribute their own apps internally without having to use the App Store. Apple blocked 3.9 million attempts to install or launch apps using this vector in the last 30 days alone, the company says.
Multiply that over the course of an entire year, and that’s almost 50 million attempted app installs.
1 billion ratings and reviews checked
Apple also says it reviewed more than 1 billion ratings and reviews for potential fraud, and deleted more than 147 million.
Review fraud can punish or elevate an app, if competitors review-bomb a game with negative reviews, for instance, or publishers pay for fake positive reviews for their own apps.
App Store and Google Play in 2025
As we move into a changing reality for app distribution that the EU’s Digital Markets Act will likely force, it’s important to remember that along with the good — more freedom for app publishers and a greater ability to monetize how and where they wish — there will inevitably come some bad.
Apple’s job is to convince consumers in the coming years that sticking to the App Store for all their apps and all their in-app purchases is the safest way for them to avoid becoming victims of fraud, and data dumps on fraudulent activities like this is one way it is doing so.
Just because that’s in Apple’s financial interest — of course — does not mean that they’re wrong.
Which means that as app developers and marketers acquire the ability to take different paths to monetize, they’ll have to carefully judge consumer sentiment before making significant moves around decoupling from Apple’s distribution and payment infrastructure. It’s entirely possible that app publishers could earn less from their apps despite taking a larger share of user/player/customer payments than the traditional 70/30 App Store model.
And if third-party app stores and Play stores proliferate, there’s additional opportunity for scammers to reverse-engineer apps, copycat them, and profit.
The mobile ecosystem is going to get more complex: that’s the one certainty we can know for sure.