One of Apple’s biggest justifications for its complete control over its App Store is quality and security. Through its strict policies and manual review process, it is able to ensure that only safe and legitimate apps become available for users to install with confidence and peace of mind. Once in a while, however, something gets past that scrutiny that seems to throw Apple’s defense out the window. That seems to be the case with Zoshy+, a pirated video streaming app that stayed in the App Store for almost a month by masquerading as a puzzle game.
To be fair, the ratio of potentially harmful apps getting through to the App Store is significantly smaller when you compared it to Google Play Store. Very few apps do get through, and sometimes those use sophisticated means to deceive reviewers. Then again, Apple uses a manual process why Google mostly automates its security, so the media focus is also greater when an app does get past Apple’s scrutiny.
The way the Zoshy+ app evaded detection is both simple and, at the same time, almost genius. The app put up what looks like a legitimate Sudoku interface for the reviewers to test. Having nothing else to do with it, those reviewers may have just let it in.
Unbeknownst to them, however, the app can actually change its interface and behavior via a server-side switch that was only activated after Zoshy+ got into the App Store. After a few seconds of showing the Sudoku UI, it switches to its true form: a surprisingly sophisticated interface for watching pirated videos and movies.
9to5Mac reports that the app has been on the App Store for three weeks and even had reviews that clearly pointed to its illegitimate functionality. It wasn’t until after the report that Zoshy+ was removed from the App Store, but the damage has been done, at least to Apple’s credibility. This incident comes at a time when the company is battling Epic Games in court over its alleged monopolistic practices over the App Store, and its argument for quality and safety may be challenged by anecdotes such as this.
It isn’t known whether the app actually had other malicious actions that directly harmed users. It naturally served ads in exchange for free access but also instructed uses to click on links to share the app to get rid of those ads. Those actions didn’t do anything, however, and it isn’t known if the app developer was able to do anything with whatever information those clicks provided.