A company that makes an email app that helps users encrypt their emails paid for fake reviews in an attempt to get more people to download its products, according to leaked emails obtained by Motherboard.
The CEO of pEp, a Luxembourg-based company that makes the pEp email encryption apps for Android and iOS, commissioned a marketing company to write fake reviews that he himself wrote in the summer of last year. Leon Schumacher asked the marketing company Mobiaso to post 40 five-star reviews in English, French, and German to the Google Play Store. Schumacher included an Excel spreadsheet that contained the specific text that he wanted Mobiaso to use.
"Super easy privacy," one fake review said. "One of the best mail applications. I have never had problems and I suggest it all the time to friends," another said.
"Can we speed up today and do 12 ratings per day do 7 reviews per day (Please use the Texts below for the right countries (that I forwarded already per earlier e-mail)," Schumacher wrote in an email to Mobiaso.
pEp, short for Pretty Easy Privacy, develops email encryption apps for both iOS and Android, where it has more than 10,000 installs, according to the stats on the Google Play Store. The company, through its foundation, also funded a new library to encrypt emails using PGP, the decades old technology that allows users to encrypt emails and other files.
Mobiaso advertises "iOS reviews" and "Android installs" on its website. One of the services the company offers is App Store Optimization, or ASO, which includes fake reviews. The service has several price tiers, ranging from $160 to $450. Only the two most expensive tiers include fake reviews.
"Each app developer/advertiser should remember that without a good ASO search optimization, your target audience wouldn’t even find or open your app page," Mobiaso says.
Mobiaso did not respond to a request for comment.
Several reviews included in the leaked emails appear verbatim in the Google Play store page of pEp's app, and were posted on June 28, 2020, a day after Schumacher sent the email to Mobiaso. pEp even made the app free for a week to make it easier for Mobiaso to post the fake reviews, according to the emails.
Schumacher told Motherboard that he purchased 50 fake reviews for $325, but only 20 were actually posted.
"I made this mistake. It was recommended to me to try ASO [App Store Optimization] and so I did a trial run. I thought I had to try. I should not have. It did not work as advertised. That is why I stopped it before completion of the trial list," Schumacher told Motherboard in an email. "I forgot to ask how to remove the posted entries."
In his conversations with Mobiaso over July and August of last year, Schumacher did not seem to regret the decision yet.
"I am back so that we can finish the last order and I want to add a new order. The app will be free again on the 30th of July," he wrote in another email.
Do you, or did you used to, work at pEp? Do you know about the company's operations? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at email@example.com, or email firstname.lastname@example.org.
Initially, when Motherboard first reached out to pEp, Volker Birk, the company's co-founder and CTO, said he was not aware of the fake reviews.
"pEp security does not want fake reviews but real ones," Birk wrote in an email.
Before Schumacher told us he bought the fake reviews, Motherboard confirmed the authenticity of the leaked emails by verifying the email DKIM signature, a unique string that verifies the email address was not spoofed and the email's contents were not altered in transit.
The emails show more about the market for fake app reviews, and shows that a company whose entire business model relies on trust tried to get a headstart with fake reviews.
"That's certainly a novel approach to 'zero trust,'" Eva Galperin, the Electronic Frontier Foundation's director of cybersecurity, told Motherboard in an online chat. "I wouldn't trust them."
Michał "rysiek" Woźniak, information security officer at ISNIC, the organization that manages Iceland's top-level country domain, also condemned the company's actions.
"pEp's conduct is inexcusable, in no small part because it could be misused by bad faith actors to tarnish reputations of other free-software projects," Woźniak said in an online chat. "I have not used pEp's products, but I have and continue to use independent free-software projects pEp has sponsored. These independent projects remain trustworthy, and along with other free-software projects are helping to build a safer and more equitable digital society."
Subscribe to our cybersecurity podcast CYBER, here.