Apple has responded to reports of iTunes being hacked by confirming that a developer has been removed from the app store.
In a comment published by Engadget, Apple confirmed that developer Thuat Nguyen and his apps were removed from the App Store ‘for violating the developer Program License Agreement, including fraudulent purchase patterns'. It offered advice for users on data protection and confirmed that developers do not receive any iTunes confidential customer data when an app is downloaded.
Media reports over the weekend mentioned an inexplicable rise in popularity for some apps, with one developer's applications managing to take 42 of the top 50 sales positions in the App Store's ‘book' category. What also aroused suspicion was that the book apps were released in April, have little to no customer ratings or reviews and appear to be in Vietnamese.
Apple spokeswoman Trudy Muller told Associated Press that Nguyen had been banned for violating an Apple licence agreement, including fraudulent purchases, and confirmed that about 400 iTunes users were affected.
Ryan Flores, advanced threats researcher at Trend Micro, commented that it was most likely that individual iTunes user credentials were stolen via phishing attacks.
He said: “What's interesting about this incident is it doesn't involve any malicious app. Instead, it led to the sudden rise in rating of common, unpopular apps in Apple's App Store because stolen iTunes accounts were used to purchase them.
“This is interesting because cyber crime groups have now found a working business model in monetising phished user accounts in Apple's App Store. They've circumvented Apple's ‘strict' app review process by submitting non-malicious apps (doesn't matter if the app is worthless) then used phished iTunes accounts to buy (and make money from) the worthless apps.
“This is an interesting business model, by targeting user accounts, cyber criminals attacked the weakest link in the system (the user), only using Apple's App Store as a platform and the worthless apps as means to cash in on phished accounts. May this incident serve as a glaring reminder on the importance of our online accounts, especially if our credit and/or debit cards are tied to them.”