Dozens of apps for companies put under sanctions by the U.S. government have remained available in app stores maintained by Apple and Google, a violation of the law according to legal experts.
The apps are associated with accused malefactors including Russian banks blacklisted after the 2022 invasion of Ukraine, a Chinese construction company in repressive Xinjiang and a Houthi-linked bank in Yemen.
The organizations and individuals are on the Treasury Department’s roster of Specially Designated Nationals, a designation that prohibits American companies from doing business with them. The Tech Transparency Project, a nonprofit advocacy group, assembled the list of apps using automated searches and confirmed the results manually. TTP shared it in advance of publicationwith The Washington Post, which confirmed most of the findings.
“Apple and Google promise their users a safe and trusted place to find applications for their devices, but both companies’ failure to identify clearly sanctioned entities raises questions about how these companies vet the apps in their stores,” TTP Director Katie Paul said.
Sanctions efforts backed by multiple laws are one of the most significant means of punishing foreign entities for human rights abuses or actions against U.S. policy, officials said. Such actions have helped isolate Russian banks and elites from the international financial system to the point that reversing those sanctions has become a top goal of the Russian government.
But as financial apps and cryptocurrencies have made anonymous and semi-anonymous payments routine, sanctions have become more difficult to enforce.
For consumers, the proliferation of such apps makes it hard to discern who is behind them and whether an ordinary tool may be serving criminals or spies.
“It’s absolutely something that should be of greater concern. Especially given some of the financial implications,” said Joshua Hodges, who sits on the 12-member U.S.-China Economic and Security Review Commission, referring to sanctioned entities using apps to avoid restrictions on receiving money.
Google, which TTP said had 18 problematic apps, took down all but one after being contacted by The Post. Those removed by Google included apps for the Russian government-owned Gazprombank, which was sanctioned a year ago for being used to buy weapons and pay soldiers fighting in Ukraine.
“Google is committed to compliance with applicable sanctions and trade compliance laws and enforces related policies under our Terms of Service,” Google spokesman Dan Jackson wrote in a statement. “If we find that an account violates our Terms of Service, we take appropriate action.”
TTP said Apple had 52 improper apps, though 17 were removed during TTP’s research period. The company took down 18 more after being contacted. Apple said it did not agree that all were hosted in violation of sanctions. The company added that it appreciated TTP’s research and is strengthening its review process.
Apple dropped hosting apps tracing back to Xinjiang Production and Construction Corps., which Treasury ties to the Chinese Communist Party secretary for the restive region. According to the sanctions announcement from Trump’s first term, that secretary has wielded authority over XPCC and set up a “comprehensive surveillance, detention, and indoctrination program targeting [ethnic and religious minority] Uyghurs.” XPCC did not respond to an email seeking comment.
Unless waivers are granted, the sanctions prohibit all U.S. transactions “that involve any property or interests in property” of designated people or organizations, including “contribution or provision of funds, goods, or services” that benefit them, according to the Treasury Department.
Apple removed others serving Russia’s National Standard Bank Joint Stock Company, which was sanctioned alongside Gazprombank for playing a significant role in the country’s financial network.
Some of the apps have names that vary slightly from those on the Treasury list, for example by adding the Russian corporate abbreviation OOO, TTP found. Others named developers who were not on the sanctions list but used a sanctioned name elsewhere, such as in their privacy policy.
The Treasury Department said it could not comment on specific allegations. “We regularly monitor all of our sanctions programs and take sanctions violations extremely seriously,” a Treasury spokeswoman said. “Technology companies should be aware of U.S. sanctions and understand their compliance risks, conducting due diligence where appropriate.”
This is a time of heightened scrutiny of Chinese technology, out of concern that tech company access to sensitive personal data — through apps, routing internet traffic or other means — could be weaponized against the public. Chinese laws require companies operating there to cooperate with intelligence agency requests, national security experts say. They said the Chinese companies could even be compelled to push out software updates that could change the way the devices function, though no malicious updates have been detected and disclosed so far.
Congress under President Joe Biden passed a law to force TikTok’s divestiture from Chinese corporate ownership, citing national security concerns. Commerce Department officials won interagency approval to ban the most popular U.S. home routers on national security grounds because they are made by TP-Link Systems, a historically Chinese company now based in California. The company has said a ban would be unfair and unnecessary. That proposal and other potential product bans have stalled on the desks of department leaders during tense trade negotiations between the countries.
In the meantime developers behind apps, including many in China, frequently change the names of their companies and products, making enforcement and informed consumer decisions harder, Hodges said. He said the technique illustrates a broader problem, in which some companies are singled out by one name but then morph, and it takes too long for companies and U.S. officials to catch up.
Apple is at greater risk of enforcement proceedings, according to legal experts, because it agreed in 2019 to do a better job of catching sanctioned entities with apps that have minor changes in their names.
In November 2019, Treasury announced that Apple had sent payments from App Store sales over two years to a Slovenian company that had been sanctioned for its ties to a major provider of illegal drugs.
The department found that Apple had the company listed in its records as SIS DOO, while it had been banned by Treasury under the name SIS d.o.o., with the Slovenian business suffix.
Treasury could have fined Apple more than $70 million at the time under the relevant statutes, but said it accepted a settlement of less than $1 million because Apple had self-reported, had not had a violation in the preceding five years, and promised to revamp its sanction search tools “to fully capture spelling and capitalization variations and to account for country-specific business suffixes.”
Apple declined to comment on that history. But lawyers said the revamp has not been foolproof, which may set Apple up for tougher scrutiny.
Both Apple and Google have argued in antitrust suits that the consumer protection they provide by vetting apps outweigh the competitive harm from limiting outside distribution.
But both have come under fire for allowing and profiting from apps that defraud customers, as well as others carrying national security risks.
A recurring issue in both of those categories has been the large volume of virtual private network apps, many of which obscure where they are based and change their names, making research on them more complicated, security experts and consumer advocates say.
VPN usage is rising as more countries and U.S. states set age restrictions on social media sites, although consumer advocates say many brands are deceptive and share user data with advertisers or governments.
The Post reported in 2023 that some of the most downloaded VPN apps have hidden ties to China.
This past April, Tech Transparency Project said that the Singapore company behind one popular app, Turbo VPN, had been acquired years ago by Chinese security company Qihoo 360, which the U.S. government identifies as a military firm. The Singapore company, Innovative Connecting Pte, did not respond to a phone call seeking comment.
Seven senators wrote to Apple and Google in July asking why the Chinese VPNs remain on their stores.
The post Blacklisted foreign companies persist in app stores, defying U.S. sanctions appeared first on Washington Post.
