How 18 Malware Apps Snuck Into Apple’s App Store
Credit to Author: Brian Barrett| Date: Fri, 25 Oct 2019 15:43:54 +0000
Sing it loud: The App Store's not perfect. Especially when it's up against click fraud code this clever.
Despite some recent pronounced lapses, the iPhone remains one of the most secure consumer devices you can buy, thanks in large part to the locked-down ecosystem of the iOS App Store. But things do slip through the cracks—including 18 apps that used evasive maneuvers to sneak past Apple’s defenses.
The malicious apps—17 of which were discovered by mobile security company Wandera, all from the same developer, while Apple spotted another using the same technique—have already been taken down. While they were live, they didn’t steal data or gain control of a victim’s device, behavior that other recent iOS fumbles could have enabled. Instead, the apps, which ranged from a calculator to a yoga pose repository, ran invisible ads in the background of the device, generating phony website clicks to inflate ad revenues.
That sort of adware makes regular appearances on Android, in part because that platform’s third-party app stores are riddled with bad actors. On iOS? Not so much. And while the worst effects you’d feel as a victim in this case would be a quicker battery drain and a higher data bill, this latest wave of iOS malware is most notable not for what it does but for how it got there.
"I think this one changed the game a bit for the types of things Apple needs to look for."
Michael Covington, Wandera
It started small. Wandera's security software flagged some unusual activity on a client’s iPhone: A lone speedometer app had made unexpected contact with a so-called command and control server, which had previously been identified as issuing orders to ad fraud malware in a separate Android campaign. In other words, the app had gone rogue.
Wandera worked backwards from there. It identified the developer of the app, India-based AppAspect Technologies, and installed its dozens of offerings on iPhones for further testing. First, static analysis, poring over the code to look for any embedded shenanigans. Then dynamic analysis, looking for any outbound connections to a far-flung server with bad intentions.
“That’s usually where we see the dodgy activity,” says Michael Covington, Wandera’s vice president of product. “In this case, we weren’t seeing it.”
Nothing. Not a hint of impropriety. But Wandera continued to press. Its standard testing setup relies on several iPhones connected to Wi-Fi; it’s a lot of downloads, after all, so no reason to chew up all that data. But after striking out in the first round of analyses, the researchers decided to see what happened if they added a SIM card to the equation. And then they waited.
A few days later, 17 of the apps started reaching out to the same adware server.
“They had the intelligence to not just wait a few days, but to actually wait for other pieces of context to line up in the way that the developer wanted them to,” Covington says. In this case, the presence of a SIM card indicates that the phone belongs to a real person rather than a security researcher—or one of the many humans that screen apps for App Store approval.
It’s a simple evasion, but clever. More important, in this case it was effective. If you downloaded one of these apps, it would act perfectly normal until it was reasonably confident that you’re a genuine mark. At that point, it would reach out to its boss—the command and control server—which would instruct the app to turn your iPhone into an invisible click farm.
In an email, AppAspect Technologies pleaded ignorance, saying that it only found out about the issue after Apple had removed its apps, and that it’s working its way back to compliance. And in fairness, it’s entirely plausible that they had no idea that its apps were behaving this way. Developers sometimes incorporate code from third-party or unauthorized sources to build out their apps; borrowing from the wrong bin can easily—and accidentally—turn a speedometer app into something malicious. Apple’s been through that on a larger scale than this; in 2015, some developer forums hosted versions of its Xcode software tool with data-stealing code appended to it, resulting in dozens of infected apps sneaking onto devices.
Adware’s a less severe problem, and again, it’s downright endemic to Android. Security firm ESET announced just yesterday that it found 42 Google Play Store adware apps, downloaded millions of times. While not unheard of on iOS, it’s much more rare, especially with this level of sophistication.
“This is an excellent catch,” says Will Strafach, founder of Sudo Security Group and developer of the Guardian Firewall app for iOS.
It also illustrates how Apple’s App Store screening process isn’t quite as impregnable as you might assume. Especially when it comes to this specific category of intrusion. “Because ad fraud does not relate to actually malicious activity for the user, Apple likely does not put a high priority on policing it,” Strafach says.
“This was outside the parameters that Apple was checking,” says Wandera’s Covington. “I think this one changed the game a bit for the types of things Apple needs to look for.”
For its part, Apple acknowledges that it took down the infringing apps, and that it has updated its screening tools to better detect this kind of verboten activity going forward. But Apple also disputes the "malware" characterization, since ad fraud doesn’t directly disrupt your smartphone experience—or steal data from it—the way that, say, pervasive surveillance by an authoritarian state might.
Semantics aside, presumably most iPhone owners would prefer that a phalanx of click fraud apps not find its way into the App Store. But the incident is a good reminder that it can and does happen.
“I do realize that this is difficult to police and prevent,” says Thomas Reed, director of Mac and mobile research at cybersecurity firm Malwarebytes. “The problem isn’t so much that these things have happened, which is inevitable. The problem is that people have an unrealistic level of trust in Apple’s App Store—much as people once believed that ‘Macs don’t get viruses.’”