Customers are claiming an app downloaded from Apple’s App Store was using their login credentials to make illicit purchases.
Customers complained their Apple IDs and passwords were used to buy in-game items for a Chinese game app, according to a report from The Mainichi Daily News, a Japanese-language daily, on July 25. There were over 50 complaints posted on the page for Mingzhu Sanguo OL, a Chinese-language game, on the App Store.
The game was released on April 23 as a free download on the Japanese version of Apple’s App Store. Victim claims total up to thousands of yen at this time.
“My account was accessed at 3pn on July 4th and this game downloaded items for 1000 yen [$12.78],” a customer “tact_50cc” posted on the game page, according to translations provided by NextWeb. “Someone used my Apple ID and bought some paid items,” another customer “omachu” wrote. Of the 66 ratings the game has received, 63 of them were for 1-star ratings.
There appears to be something more happening than a game just using customer IDs, as some complaints were from customers who claimed to never have installed the app. “2,220 yen disappeared without me knowing – even though I haven’t installed this app,” posted “wankoropotty” on the page.
NextWeb uncovered a comment from a victim posted on the United Kingdom version of the App Store suggesting the attackers were using other means to harvest Apple IDs. “This app was downloaded onto my account after my e-mail was hacked from China,” JMH-1 posted on the site July 12.
This particular game’s attempt to use Apple IDs to buy things without user approval affected mainly users in Japan. There were reports of malicious app developers gaming Apple’s billing system to fraudulently use customer credit cards last year, and it appears this app may be just more of the same.
“We are confirming the details of the situation,” an Apple Japan representative told Mainichi Japan.