Shop has 50 million downloads on Google Play and 7 million ratings in Apple's App Store — a reach that attackers are now exploiting by planting fake purchase receipts directly into the app's order history, researchers say.
Gen Digital's findings: fake receipts, callback numbers, and remote-access scams
Security researchers at Gen Digital reported that scammers are inserting counterfeit orders into users' Shop app histories, impersonating brands such as Norton, McAfee, Apple, and PayPal. Each fake receipt includes a phone number the user can call to dispute the charge; the number connects to a fraudster posing as a support agent.
Using social engineering, the fraudsters try to obtain account credentials, payment card information and temporary authentication codes (OTPs). In some cases, victims are persuaded to install software that grants remote access to their devices. Gen Digital notes that placing fraudulent receipts inside the Shop app appears to be more effective than the more typical tactic of sending fraudulent purchase emails — a form of callback phishing — because users inherently trust orders that appear in the app.
How Shop's functionality and popularity aide the scam
The Shop app is a centralized order-tracking and shopping assistant for merchants that use Shopify: it aggregates orders and shipping updates, provides receipts, and offers discovery and purchase options. Gen Digital emphasises that the app's design — showing orders alongside legitimate purchases — makes a fabricated invoice particularly persuasive, especially when a user sees an invoice for a large or alarming charge.
Shop is especially popular in North America, where support and purchasing options are stronger, a usage pattern that likely increases the app's attractiveness to fraudsters seeking high-value targets. The app’s broad adoption — 50 million Google Play downloads and 7 million Apple App Store ratings — creates a large pool of potential victims who may assume a notification inside the app is legitimate.
Delivery channel remains unresolved: email parsing, account association, or order workflows
Gen Digital says Shop can populate order entries from multiple sources, including email parsing, account association, and order workflows. However, the researchers could not confirm which channel the attackers used to get fake receipts into users’ Shop histories. Crucially, Gen Digital found no evidence that Shop, Shopify, or any of the impersonated companies were themselves compromised.
BleepingComputer reached out to Shopify with related questions but had not received a response as of publishing. That unanswered technical question — how the fake receipts are being delivered — is central to containment and remediation, and it remains open in the public record.
What this means for end users, security teams, and Shopify merchants
- End users: If you see a receipt in Shop for an order you didn't place, do not call the number listed in the receipt; instead verify any alleged charge directly with your bank. If you already contacted the scammers and disclosed credentials, reset your account passwords immediately and contact your card issuer to cancel affected cards.
- Security teams and technologists: Gen Digital's finding that in-app fake receipts are more effective than email-based callback phishing highlights a detection gap where trusted application UI elements are abused. The report also cites a Picus whitepaper metric — "Security teams log 54% of successful attacks and alert on just 14%" — underscoring how many intrusions can move through environments with limited detection; teams should account for non-email vectors when modelling phishing and callback scenarios.
- Shopify merchants and platform operators: The presence of convincing counterfeit receipts in a shopping app tied to merchant accounts creates reputational and fraud-management risks. While Gen Digital found no evidence of a platform compromise, merchants and Shopify should monitor order workflows and account-association mechanisms for anomalous entries and coordinate on user notifications and remediation guidance.
Red flags users and investigators should note
Gen Digital observed that many of the fake receipts contain poor grammar, which remains an obvious red flag. But the researchers warn that users can miss spelling and grammar errors when confronted with what appears to be an invoice for a large purchase. The combination of a trusted app interface and a visible dispute phone number is the social-engineering lever the attackers are using to push victims into exposing credentials, payment details or installing remote-access tools.
The central unanswered question — how the counterfeit receipts are being inserted into Shop — will determine next steps for containment and prevention. Until that mechanism is identified, Gen Digital's practical advice for affected users is straightforward: do not trust the phone number on an unexpected Shop receipt, verify charges with your bank, and take rapid action if you have already shared sensitive information.
Read the original BleepingComputer report: https://www.bleepingcomputer.com/news/security/order-tracking-app-shop-abused-to-push-callback-phishing-attacks/
