iOS App 'UVLens' Apparently Hacked, Sends Out Very Inappropriate Notifications [Updated]

An iOS App Store weather app called "UVLens" this morning sent out highly inappropriate pornographic notifications to all of its users, suggesting the app may have been hacked or otherwise compromised in some way.

There are dozens of complaints from users on Twitter who received the notification, which was in no way weather related and was explicit enough to shock users who received it.

UVLens is a simple app designed to provide hourly UV forecasts for those who are concerned about their sun exposure. It is a general use app and it's quite possible that it could have been downloaded by children given its 4+ age rating.

UVLens appears to have sent out the notification to all of its users given the volume of tweets, and one person said that when she tapped the incoming notification, it tried to open a secondary window.

MacRumors was alerted to the issue by editor Mitchel Broussard, who has been using the app for more than a year. Prior to today, the app worked well and sent out no inappropriate content to users. We've never before seen reports of an app sending out notifications like this, so it's rather unusual.

Apple does not appear to have a solid reporting system in place for instances like this, as we discovered after the notifications went out. UVLens has not yet commented on the situation.

There's a "Report a Problem" website for reporting issues with recently purchased iOS apps, but it does not work with older purchased apps that suddenly go rogue. There's no report button in the ‌App Store‌ for individual apps, no option when 3D Touching an app on the Home screen, and no clear support path for alerting Apple about problematic apps.

We have contacted the UVLens developer, and multiple people have been sending complaints on Twitter, so the app may be removed from the ‌App Store‌ or fixed in the near future.

For now, customers who have installed UVLens will likely want to delete the app because it's not clear what's going on and if there has been a breach of some sort.

Update: UVLens sent out another notification, apologizing for the explicit push notification. The company says that it was not from the UVLens team and is being investigated.

Update 2: UVLens tells MacRumors that a third-party push notification service that it uses was compromised, allowing a spammer to send out inappropriate notifications through the network, including to UVLens users. UVLens says that steps were taken to prevent it from happening again and no app software was compromised.

Top Rated Comments

(View all)

20 weeks ago

Google just allows anything onto the Play Store... oh, wait...

Hurr durr this very likely isn't in the actual code, but the app servers themselves being hacked and sending out push notifications. The same thing could happen to literally any app.

being ignorant is one thing but trying to **** all over apple because you don't know any better is ridiculous and only people that share that lovely quality will agree with you (looks like they already did)
Rating: 48 Votes
20 weeks ago
Boss: I want our app on the front page of every tech blog by the end of the week.

Marketing team: Hold my beer.
Rating: 24 Votes
20 weeks ago
Ha ha this is hysterical
Rating: 23 Votes
20 weeks ago
Disgruntled employee?
Rating: 17 Votes
20 weeks ago
Google just allows anything onto the Play Store... oh, wait...
Rating: 16 Votes
20 weeks ago
I thought the single ecosystem fanboys said this wasn't possible
Rating: 15 Votes
20 weeks ago
I actually don't care about the news. I just wanted to know what the censored screenshot said :D
Rating: 14 Votes
20 weeks ago
Whoops. Wrong exposure.
Rating: 12 Votes
20 weeks ago

Was the app hacked or the developer? If the users are receiving the texts as the article claims, then it sounds like the developer was hacked and the user IDs they got were stolen.

If the app was hacked, I would expect the user’s contacts to be getting the obscene IMs.

The article says notifications, so likely neither. Probable situation is the developer uses a 3rd party service for managing push notifications, which basically acts as a proxy. Hijack the credentials for one of those services, and you can push arbitrary notifications for an app. It's not, by itself, a security concern, just obnoxious.

What's the last word?

'wet' or similar, I'd guess.
Rating: 11 Votes
20 weeks ago
They just send out a "Sorry for that, we're investigating" notif

But also, horny weather is something I can get into
Rating: 10 Votes

[ Read All Comments ]