Apple has confirmed that 17 malware iPhone apps were removed from the App Store after successfully hiding from the company’s app review process.
The apps were all from a single developer, but covered a wide range of areas, including a restaurant-finder, Internet radio, BMI calculator, video compressor and GPS speedometer …
The apps were discovered by mobile security company Wandera, which said that the apps did what they claimed while secretly committing fraud in the background.
The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.
The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.
Although no direct harm was done to app users, the activity would be using up mobile data, as well as potentially slowing the phone and accelerating battery-drain.
Wandera said the malware iPhone apps evaded Apple’s review process because the malicious code was not found within the app itself, but the apps were instead getting instructions on what to do from a remote server.
The apps communicate with a known command and control (C&C) server to simulate user interactions in order to fraudulently collect ad revenue […]
Command & Control enables bad apps to bypass security checks because it activates a communication channel directly with the attacker that is not within Apple’s view. C&C channels can be used to distribute ads (like the ones used by the iOS Clicker Trojan), commands, and even payloads (such as a corrupt image file, a document or more). Simply put, C&C infrastructure is a ‘backdoor’ into the app which can lead to exploitation if and when a vulnerability is discovered or when the attacker chooses to activate additional code that may be hidden in the original app.
The same server was also controlling Android apps. In at least one of those cases, weaker security in Android meant that the app was able to do more direct harm.
Android apps communicating with the same server were gathering private information from the user’s device, such as the make and model of the device, the user’s country of residence and various configuration details […]
One example involved users who had been fraudulently subscribed to expensive content services following the installation of an infected app.
iOS aims to guard against this by sandboxing. Each app gets its own private environment, so cannot access system data or data from other apps unless using processes specifically permitted and monitored by iOS. However, Wandera cautions that there have been examples of the sandbox failing, giving three examples of this.
Wandera is the same company which warned how a Siri feature could be used for phishing non-technically knowledgeable iPhone users. Apple confirmed the removal of the 17 apps to ZDNet.