A kids’ game called Jungle Run, which masqueraded as a “fun running game”, may have been a front for an illicit cryptocurrency-funded casino designed to scam its users out of their hard-earned money.
That’s according to security researcher Kosta Eleftheriou, who stumbled upon the scam that hoodwinked the Apple App Store’s security filters and was cynically targeted towards children aged as young as four.
- Best GPS trackers for kids: Keep track of the little ones at all times
- The best (and worst) antivirus software for parents
- Plus: Best parental control apps
Jungle Run, which has now disappeared from the App Store, looks innocent enough unless you access the game using a Turkish, Italian or Kazakh IP address.
Instead of being greeted by an innocuous monkey marauding through the jungle, the game launches into an online casino. The casino is completely separate from the original Jungle Run game and is obviously not meant for children.
This @AppStore app pretends to be a silly platformer game for children 4+, but if I set my VPN to Turkey and relaunch it becomes an online casino that doesn’t even use Apple’s IAP.🤯 pic.twitter.com/crnOOF0pNiApril 15, 2021
This is no Goodfellas-inspired illicit gambling den, lacking any morsel of wiseguy movie charm. Instead the web-based casiono asks you to fund your online wallet with cryptocurrencies, said Eleftheriou.
There’s even an option for cold hard cash, because these scammers aren’t too fussy when it comes to taking your money. It's certainly an inventive method to bypass Apple's stringent security checks, but it's by no means novel in its approach.
Gizmodo reporter John Biggs, who earlier reported this story, confirmed that Jungle Run did indeed turn into a gambling app when he changed his geographic location using a VPN.
Security website Threatpost cites Chris Morales, CISO at Netenrich, who discussed the scammers' tactics in an email to them.
Morales said this was a case of "simple creative human intelligence beating machine learning. This is the same reason phishing still works and social engineering is the number one technique for attacks, not advanced malware.”
iOS App aimed at kids steals cash and crypto
Morales acknowledges that Jungle Run has attracted swathes of complaints from users who were tricked by the interface, but this app is only the tip of the proverbial iceberg.
Eleftheriou told Threatpost that he gets a "steady flow of tips through an email address he's set up to get leads."
This sort of social engineering is something Eleftheriou wishes to tackle head-on, stopping nefarious users cashing in off these exploits. He also hopes it will deter Apple from "misleading users and developers" with claims that the App Store is a safe haven to download and produce apps without the threat of these kinds of scams.
Eleftheriou has a pending lawsuit against Apple accusing it of "fraudulent and unfair practices" and permitting dodgy iPhone apps to crowd out legitimate developers.
A cautious approach to apps
Anyone who ended up depositing money into Jungle Run may have been quickly scammed out of deposits and payouts, Eleftheriou said, judging by user comments posted on the app's App Store page, which has since been taken down.
If so, they would have joined many other victims who've fallen prey to scam apps hitting the Apple App Store.
The fact the swindlers were happy to take cash payments alongside more privacy-focused cryptocurrency shows the nerve with which they operate.
The ease with which the scammers got through Apple's defenses speaks to the threat that can lurk within seemingly innocent apps, as well as the wider rot coursing through the Apple App Store. That includes so-called fleeceware apps that have overrun iOS and Android app markets.
Make sure to be cautious of all apps, unless explicitly well-known. Ultimately, any apps from unknown developers shouldn't be downloaded, especially not until there are more rigorous safeguards that can stop these exploits. That halcyon place, however, seems a while away for now.
More: Best iOS apps