BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

An Ex-DOD Hacker Raises $20 Million To Stop ChatGPT-Fueled Cyberattacks
Tech Firms Pledge To Eliminate AI-Generated CSAM
Taser Company Axon Is Selling AI That Turns Body Cam Audio Into Police Reports
European Commission Launches Another TikTok Probe
Election 2024: Championing Proactive Cybersecurity To Fortify National Security
Malvertising Slips Through: Boosting Digital PR And Ad Safety Is Vital
Edit Story
ForbesInnovationCybersecurity

New iPhone Threat: These 17 ‘Trojan’ Apps May Be On Your Device—Delete Them Now

Zak Doffman
Contributor
Opinions expressed by Forbes Contributors are their own.
I cover security and surveillance
Following
This article is more than 4 years old.

Apple iPhone users are being warned to check their devices against a list of malicious apps disclosed in a new report. The exposure of such dangers on Google’s Play Store has become a theme this year, with apps laced with adware, subscription fraud and worse exposed and removed. Now Apple is taking its turn in the spotlight. A new report from the research team at Wandera claims that 17 apps from one developer load a malicious clicker trojan module on an iOS device.

Apple says that the apps in question have been removed from the App Store, and upon examination did not contain the trojan malware as claimed. Instead, the apps were removed for including code that enabled the artificial click-through of ads. A spokesperson for Apple confirmed the removal of the apps and that the App Store’s protective tools have been updated to detect similar apps in the future.

According to Wandera, the trojan focused on ad fraud, but also sent data from the infected device to an external command and control server. Wandera told me that an even more worrying element of the malware, one not included in the write-up, is a set of devious techniques to evade detection. The malware triggered only when loaded with an active SIM and left running for two days. We have seen this before on Android—an attempt to hide from security researchers in lab conditions.

“We were amazed with this one,” Wandera VP Michael Covington told me ahead of the report’s release. “We've seen a couple of issues creep into the Apple App Store over the last few months—and it always seems to be the network element.” In his view, Apple misses the runtime element of an app’s behaviour when scanned before approval. “They don't have a deep threat research expertise,” he explained, “but to find malicious network traffic, you have to watch live apps and see how they perform.”

When I talked with Wandera ahead of the report being released, they provided links and said the apps were still available to install. Apple has since confirmed their removal. The fact they gained access to the store remains a concern. Wandera says it discovered the malicious apps when its monitoring platform detected network traffic back to the external C&C server. “That forced us to work backwards,” Covington told me, “we found one of those apps, and from there we found the developer and then the other indicators of compromise that led to the other apps.”

MORE FOR YOU

Apple iPhone 16 Unique All New Design Promised In New Report

Huawei s Pura 70 Ultra Beats iPhone With Pioneering New Feature

Meet The Fintech Billionaire Making A Fortune Rewarding Home Renters

Each of the apps contain the “malicious” clicker trojan module. “Malicious,” Covington claimed, because the module can do more than just generate fraudulent ads. “It could potentially steal information, or open a backdoor,” he said. “Any time I see an app opening a connection to the outside, I think we may have more than just bad ads, we have some malicious functionality that's being introduced.”

All of the apps will “carry out ad fraud-related tasks in the background,” the report claims, “such as continuously opening web pages or clicking links without any user interaction.” The module generated revenue for the operators “on a pay-per-click basis by inflating website traffic.” The evasive behaviour, which is not in the report, points to a level of sophistication beyond simple ad fraud. To design malware specifically to outwit a security research lab is a level beyond.

Covington takes the view that an outside connection means a high risk of data compromise—at least to some extent. The malware sends device and location information, some user data as well potentially. The apps are not games. “One managed contacts, another travel information, another had access to accelerometer and location—even without special permissions for the camera or microphone, the apps likely accessed contacts and location, with privacy implications.”

For its part, Apple disputes that any such compromise took place here—there was no danger beyond isolated click fraud, it says, emphasising that the company patrols the App Store to identify and remove any apps that represent a danger to users.

Any C&C server clearly represents some form of risk, though—an external link opens a door to further threats. “Certain information about the device and the user is used to determine what ads to deliver,” Covington said. “But we have seen C&C servers deliver other types of commands—to change configurations or trigger phishing attacks, to deliver legitimate-looking login pages to steal credentials. Or to deliver malicious payloads to bulk ups apps or install others. Once you open a connection to the outside, bad things can happen.”

In this instance, Wandera says it has seen performance degradation, battery drain, heavy bandwidth use—one ad runs a video stream for more than five minutes, others contain large images. The same C&C server was disclosed by Dr. Web​ as part of an Android malware campaign. Dr. Web reported that the server could target ads, load websites, alter the configuration of devices, fraudulently subscribe users to premium content. None of these additional issues have been claimed for the iOS malware.

The developer is AppAspect Technologies, based in India, an operator with apps for both iOS and Android. Wandera says it examined the Android apps—none contained the clicker trojan module, but they used to, they were pulled from the store, the module removed, the apps republished. Perhaps the heat being turned up on the Play Store forced a retreat? Perhaps the operator turned its focus to iOS where there is less expectation of such compromises? Covington thinks this is a real possibility.

Apple has confirmed that the apps have been removed, and the good news is that deleting the apps solve any problems, no remnants are left behind. “There is no access to special frameworks that might have left something behind,” Covington explained.

For Apple, in light of other security challenges in recent months, including a targeted WhatsApp hack, the Chinese malware attack on the Uighurs, new jailbreak options, this is an awkward story. The fast removal of the apps is to be applauded, as it the enhancement of protective tools, but the fact that harmful apps found their way onto the store obviously remains a worry.

Here is the list of infected apps:

  1. RTO Vehicle Information
  2. EMI Calculator & Loan Planner
  3. File Manager - Documents
  4. Smart GPS Speedometer
  5. CrickOne - Live Cricket Scores
  6. Daily Fitness - Yoga Poses
  7. FM Radio PRO - Internet Radio
  8. My Train Info - IRCTC & PNR​ (not listed under developer profile)
  9. Around Me Place Finder
  10. Easy Contacts Backup Manager
  11. Ramadan Times 2019 Pro
  12. Restaurant Finder - Find Food
  13. BMI Calculator PRO - BMR Calc
  14. Dual Accounts Pro
  15. Video Editor - Mute Video
  16. Islamic World PRO - Qibla
  17. Smart Video Compressor

Updated later on October 24 with feedback from Apple, including confirmation of removal of the apps.

Follow me on Twitter or LinkedIn
Zak Doffman
Zak Doffman