If you got a new Amazon Echo device for Christmas and set it up via your iPhone or iPad, you might have a serious problem on your hands.

In the days after Christmas, a fake app for iOS presenting itself as an official Amazon Alexa app climbed the charts on Apple’s App Store. The app, called “Setup for Amazon Alexa,” fooled enough people that it reached No. 60 on the Top Free apps section of the entire App Store. It also made it to the top ten list for Utilities, peaking at No. 6.

Reviews of “Setup for Amazon Alexa” in the App Store complained that the app didn’t work. Many users made it clear in their review that they believed it was an official Amazon iOS app.

The app was finally removed from the App Store late Thursday night.

Created by a company called One World Software, the app asks users to input their IP address and serial number of the Alexa device they’re trying to setup. Thankfully, it appears that the app’s purpose isn’t to steal a user’s personal info, although there are certainly other risks if a bad actor has that kind of information. According to those who tried the app, it seems the malicious developer’s scheme is to keep users engaged in the app for as long as possible to show them ads. 

The developer is also behind other fake apps such as “Marketplace – Buy\Sell,” which presents itself as an official Facebook app.

Apple is well known for its stringent App Store approval process. The company has said it manually approves every app that goes live in the App Store. However, this is far from the first time a sneaky developer has found a way to trick Apple into approving malicious apps. Earlier this month, Apple removed apps from its App Store which tricked users into making in-app purchases via TouchID.

Millions of new Amazon Alexa device owners were potentially targeted by this scammy Alexa setup app. Amazon announced on Wednesday that it had sold millions of Alexa-powered devices, such as the Amazon Echo, this holiday season.

Source: mashable