Apple iPhone users are being warned to check their devices against a list of malicious apps disclosed in a new report. The exposure of such dangers on Google’s Play Store has become a theme this year, with apps laced with adware, subscription fraud and worse exposed and removed. Now Apple is taking its turn in the spotlight. A new report from the research team at Wandera claims that 17 apps from one developer load a malicious clicker trojan module on an iOS device.
Apple says that the apps in question have been removed from the App Store, and upon examination did not contain the trojan malware as claimed. Instead, the apps were removed for including code that enabled the artificial click-through of ads. A spokesperson for Apple confirmed the removal of the apps and that the App Store’s protective tools have been updated to detect similar apps in the future.
According to Wandera, the trojan focused on ad fraud, but also sent data from the infected device to an external command and control server. Wandera told me that an even more worrying element of the malware, one not included in the write-up, is a set of devious techniques to evade detection. The malware triggered only when loaded with an active SIM and left running for two days. We have seen this before on Android—an attempt to hide from security researchers in lab conditions.
“We were amazed with this one,” Wandera VP Michael Covington told me ahead of the report’s release. “We’ve seen a couple of issues creep into the Apple App Store over the last few months—and it always seems to be the network element.” In his view, Apple misses the runtime element of an app’s behaviour when scanned before approval. “They don’t have a deep threat research expertise,” he explained, “but to find malicious network traffic, you have to watch live apps and see how they perform.”
When I talked with Wandera ahead of the report being released, they provided links and said the apps were still available to install. Apple has since confirmed their removal. The fact they gained access to the store remains a concern. Wandera says it discovered the malicious apps when its monitoring platform detected network traffic back to the external C&C server. “That forced us to work backwards,” Covington told me, “we found one of those apps, and from there we found the developer and then the other indicators of compromise that led to the other apps.”
Each of the apps contain the “malicious” clicker trojan module. “Malicious,” Covington claimed, because the module can do more than just generate fraudulent ads. “It could potentially steal information, or open a backdoor,” he said. “Any time I see an app opening a connection to the outside, I think we may have more than just bad ads, we have some malicious functionality that’s being introduced.”
All of the apps will “carry out ad fraud-related tasks in the background,” the report claims, “such as continuously opening web pages or clicking links without any user interaction.” The module generated revenue for the operators “on a pay-per-click basis by inflating website traffic.” The evasive behaviour, which is not in the report, points to a level of sophistication beyond simple ad fraud. To design malware specifically to outwit a security research lab is a level beyond.
Covington takes the view that an outside connection means a high risk of data compromise—at least to some extent. The malware sends device and location information, some user data as well potentially. The apps are not games. “One managed contacts, another travel information, another had access to accelerometer and location—even without special permissions for the camera or microphone, the apps likely accessed contacts and location, with privacy implications.”
For its part, Apple disputes that any such compromise took place here—there was no danger beyond isolated click fraud, it says, emphasising that the company patrols the App Store to identify and remove any apps that represent a danger to users.
Any C&C server clearly represents some form of risk, though—an external link opens a door to further threats. “Certain information about the device and the user is used to determine what ads to deliver,” Covington said. “But we have seen C&C servers deliver other types of commands—to change configurations or trigger phishing attacks, to deliver legitimate-looking login pages to steal credentials. Or to deliver malicious payloads to bulk ups apps or install others. Once you open a connection to the outside, bad things can happen.”
In this instance, Wandera says it has seen performance degradation, battery drain, heavy bandwidth use—one ad runs a video stream for more than five minutes, others contain large images. The same C&C server was disclosed by Dr. Web as part of an Android malware campaign. Dr. Web reported that the server could target ads, load websites, alter the configuration of devices, fraudulently subscribe users to premium content. None of these additional issues have been claimed for the iOS malware.
The developer is AppAspect Technologies, based in India, an operator with apps for both iOS and Android. Wandera says it examined the Android apps—none contained the clicker trojan module, but they used to, they were pulled from the store, the module removed, the apps republished. Perhaps the heat being turned up on the Play Store forced a retreat? Perhaps the operator turned its focus to iOS where there is less expectation of such compromises? Covington thinks this is a real possibility.
Apple has confirmed that the apps have been removed, and the good news is that deleting the apps solve any problems, no remnants are left behind. “There is no access to special frameworks that might have left something behind,” Covington explained.
For Apple, in light of other security challenges in recent months, including a targeted WhatsApp hack, the Chinese malware attack on the Uighurs, new jailbreak options, this is an awkward story. The fast removal of the apps is to be applauded, as it the enhancement of protective tools, but the fact that harmful apps found their way onto the store obviously remains a worry.
Here is the list of infected apps:
- RTO Vehicle Information
- EMI Calculator & Loan Planner
- File Manager – Documents
- Smart GPS Speedometer
- CrickOne – Live Cricket Scores
- Daily Fitness – Yoga Poses
- FM Radio PRO – Internet Radio
- My Train Info – IRCTC & PNR (not listed under developer profile)
- Around Me Place Finder
- Easy Contacts Backup Manager
- Ramadan Times 2019 Pro
- Restaurant Finder – Find Food
- BMI Calculator PRO – BMR Calc
- Dual Accounts Pro
- Video Editor – Mute Video
- Islamic World PRO – Qibla
- Smart Video Compressor
Updated later on October 24 with feedback from Apple, including confirmation of removal of the apps.