Beware, iPhone users: Fake retail apps surging before holidays

Hundreds of fake retail and product apps have popped up in Apple’s App Store in recent weeks — just in time to deceive holiday shoppers.

The counterfeiters have masqueraded as retail chains like Dollar Tree and Foot Locker, big department stores like Dillard’s and Nordstrom, online product bazaars like and Polyvore, and luxury-goods makers like Jimmy Choo, Christian Dior and Salvatore Ferragamo.

The shoe retailer Foot Locker Inc. has three iPhone apps. But that did not stop an entity calling itself Footlocke Sports Co., Ltd. from offering 16 shoe and clothing apps in the App Store.

“We’re seeing a barrage of fake apps,” said Chris Mason, chief executive of Branding Brand, a Pittsburgh company that helps retailers build and maintain apps.

He said his company constantly tracks new shopping apps, and this was the first time it had seen so many counterfeit iPhone apps emerge in a short period of time.

Some of them appeared to be relatively harmless — essentially junk apps that served up annoying pop-up ads, he said.

But there are serious risks to using a fake app. Entering credit card information opens a customer to potential financial fraud. Some fake apps contain malware that can steal personal information or even lock the phone until the user pays a ransom. And some fakes encourage users to log in using their Facebook credentials, potentially exposing sensitive personal information.

The rogue apps, most of which came from developers in China, slipped through Apple’s process for reviewing every app before it is published.

That scrutiny, which Apple markets as an advantage over Google’s less restrictive Android smartphone platform, is supposed to stop any software that is deceitful, that improperly uses another company’s intellectual property or that poses harm to consumers.

In practice, however, Apple focuses more on blocking malicious software and does not routinely examine the thousands of apps submitted to the iTunes store every day to see if they are legitimately associated with the brand names listed on them.

With apps becoming more popular as a way to shop, it is up to brands and developers themselves to watch for fakes and report them, much as they scan for fake websites, said Ben Reubenstein, chief executive of Possible Mobile, a Denver company that makes apps for JetBlue Airways, the PGA Tour and the Pokémon Company, among others.

“It’s important that brands monitor how their name is being used,” he said.

Some counterfeits are more convincing than others.

Jack Lin, who identified himself as the head of Cloaker, said in a phone interview in China that his company provides the back-end technology for thousands of apps but does not investigate its clients.

“We hope that our clients are all official sellers,” he said. “If they are using these brands, we need some kind of authorization, then we will provide services.”

Mr. Lin said Cloaker charged about 20,000 renminbi — about $3,000 — for an app written in English.

But like so many of the apps his company produces, Cloaker is not what it purports to be. Its website is filled with dubious claims, such as the location of its headquarters, which it says is at an address smack in the middle of Facebook’s campus in Menlo Park, Calif.

In the interview, Mr. Lin at first said he had offices only in China and Japan. When asked about the California office, he then claimed to have “tens of employees” at the Facebook address.

China is by far the biggest source of fake apps, according to security experts.

Many of the fake retail apps have red flags signaling that they are not real, such as nonsensical menus written in butchered English, no reviews and no history of previous versions.