Children’s iPhone game secretly hid a casino that could only be accessed with special software

US users could only see an endless runner game, but using a VPN revealed the app’s true nature

Adam Smith
Friday 16 April 2021 12:14

A secret casino that disguised itself as a children’s endless runner game managed to slip past Apple’s App Store moderation and onto iPhones.

The “Jungle Runner 2k21” app was spotted by developer Kosta Eleftheriou, who shared screenshots of its subterfuge on Twitter.

If opened by a user in the US, the app would launch a poorly-made infinite runner game. Once Eleftheriou changed his VPN to Turkey and relaunched the app, however, it transformed into a casino that seemingly managed to avoid Apple’s in-app purchase regulations.

John Gruber’s DaringFireball pointed out that the developer was not actually running the app; rather, it showed the casino websites in a web view, and collected user bonuses when people signed up via an embedded affiliate code.

The app “has been on the App Store for a few months, and has even received a couple of updates. The same developer also has another app that does the same thing! It’s impossible to know how much money [the developer has] made from unsuspecting users, but such schemes make bank”, he said.

Developer Colin Malachi was unable to be contacted for comment by The Independent.

As The Verge highlights, Apple’s App Store policies permit gambling apps as long as they are geo-restricted to countries where gambling is allowed by law – which is seemingly why a VPN would reveal the app’s true intentions.

However, it is likely that Apple would not approve of an app that hides as a children’s game in other regions. The company did not provide a comment to The Independent before time of publication.

Both Apple’s App Store payment policies, and their moderation, have recently come into question due to the iPhone giant’s dispute with Epic Games.

Documents revealed as part of the company’s antitrust case quoted Eric Friedman, head of Apple’s Fraud Engineering Algorithms and Risk (Fear) unit, saying that the review process is “more like the pretty lady who greets you ... at the Hawaiian airport than the drug-sniffing dog”. He added that Apple was ill-equipped to “deflect sophisticated attackers”.

In response, Apple claimed that its marketplace is “significantly safer” than Android, and cited data from 2018 showing that the iPhone platform “accounted for just 0.85 per cent of malware infections” compared to Android.

“Targeting games created for children is a worrying step forward, as threat actors attempt to manipulate those who need the most guidance. It is extremely difficult to properly age restrict the apps downloaded and used by children, so it is important for parents and guardians to be aware of what apps are on their children’s phones and what they are used for,” said Jake Moore, Cybersecurity Specialist at ESET.

“Apple has stringent processes when scrutinising apps to look out for malware, but this is a sophisticated attempt in bypassing those restrictions. This particular app may not have been able to manipulate large numbers of users into illicit actions, but it does highlight that even stricter restrictions may be required to monitor what is placed on the App Store under all circumstances.”

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in