TestFlight misused to distribute spam / scam / malware builds

Dear TestFlight Team!

I am observing an increasing misuse of TestFlight public and private invites to distribute scam, spam, and potentially malicious builds:

I had reported this already in December last year via Feedback assistant, but since the malicious behavior has not stopped, I hope that you can forward my bug reports to the right team: FB21379977, FB21845307

In multiple cases, these builds impersonate well-known apps (e.g. ChatGPT, OpenAI, Meta) by changing the app name and icon after an initial TestFlight approval, misleading users into installing software from unrelated developer accounts.

I believe this represents a systemic weakness in the TestFlight review and update flow, enabling targeted phishing or malware distribution outside the App Store review process.

My bug reports have attached:

• TestFlight invitation emails (.eml)
• Screenshots from TestFlight documenting impersonation behavior

⸻

Steps to reproduce

1. Create a new Apple Developer account.
2. Upload an initial, benign app (e.g. a calculator) as version 1.0.0 and obtain TestFlight approval.
3. Upload a second build:
   • without changing the version number
   • increase build number
   • Change the app name to a well-known product (e.g. “ChatGPT”)
   • Change the app icon to match the impersonated product
4. Invite targeted email addresses to the TestFlight group.
5. Recipients receive an official TestFlight invite and are prompted to install the impersonating app.

⸻

Expected results

• TestFlight builds that significantly change app identity (name, icon, branding) should:
  • Require additional review, or
  • Be blocked from distribution without re-approval.
• Developer accounts should not be able to impersonate well-known companies (e.g. “OpenAI Platforms LLC”) without verification.
• Users should be protected from installing TestFlight builds that materially differ from what was originally reviewed.

⸻

Actual results

• App name and icon can be changed between TestFlight builds without triggering additional review.
• TestFlight invites can convincingly impersonate trusted brands.
• Targeted users may reasonably believe they are installing a legitimate beta.
• This creates a credible vector for:
  • Phishing (credentials, payment details)
  • Data exfiltration
  • Social engineering attacks

I did not install the builds to avoid personal risk, but the attached artifacts should allow Apple’s internal teams to reproduce and analyze the behavior safely.

Some more examples: