Slashdot Mirror
First iOS Malware Discovered In Apple's App Store
New submitter DavidGilbert99 writes "Security experts have discovered what is claimed to be the first ever piece of malware to be found in the Apple App Store. While Android is well known for malware, Apple has prided itself on being free from malicious apps ... until now. The app steals your contact data and uploads it to a remote server before sending spam SMS messages to all your contacts, but the messages look like they are coming from you."
...but years ago there was a tethering app disguised as a flashlight app so it's been possible for a long time.
"When information is power, privacy is freedom" - Jah-Wren Ryel
The app steals your contact data and uploads it to a remote server
So it's just iCloud?
i might download it just to give it some ranking in the top free apps
otherwise it will be lost in the ocean of apps
The garden walls have been breached! Oh noes!
Life is not for the lazy.
Some will say that the Apple App Store is "no longer secure." This is ridiculous. It took 5 years for the first malware to show up...that's pretty damned good. Nothing is impermeable, after all. But the real value is that the malware can easily be removed...and its source eradicated. So it's not only about keeping malware out via the App Store, but also in having a swift and flexible response option for just this sort of occasion. Good security fails gracefully and a good defense in depth allows for easy recovery, and it looks to me like Apple meets those criteria.
For your security, this post has been encrypted with ROT-13, twice.
So they targeted both groups.
The app steals your contact data and uploads it to a remote server before sending spam SMS messages to all your contacts, but the messages look like they are coming from you."
That is exactly what WhatsApp Messenger does. They take all your contact info (you agreed to the terms of use) and sends spam to your contacts.
I have no idea why WhatsApp is so popular.
It's instant messaging, but limited to cell phones.
There are many other IM networks that are available for mobile, with an existing large installed base: google talk, msn messenger, ICQ, etc. WhatsApp has no advantages over the existing IM networks. I just don't get it.
One of my beefs about iOS is that even though it will ask the user if an app attempts to use the GPS or notification, there are plenty of juicy things that can be obtained and copied elsewhere. Photos are protected against being deleted, but they can be slurped up and copied off without the user knowing. Same with contacts and music.
I'm surprised this was caught. If a person jailbreaks their device and runs PMP (Protect My Privacy) and Firewall IP, they will see a lot of apps digging in places where they shouldn't be, and sending lots of data to sites that have zero relevance to the task at hand. One major news app connects to so many sites without DNS (just via IP addresses) that I ended up just blacklisting all but the few sites it gets news info.
I would say where the rubber meets the road, iOS has been more secure, because Apple guards the gateway and does it well. However, if anything malicious does make it past, it can have a field day.
Maybe these are the bastards that broke Angry Birds!!!!!!11 =D
Any estimate of the number of people who installed it and ran it? Did it have a useful function that would get people to install it from the 500K other iOS apps? Did the app have any ratings that suggested that it was worth installing? Was the app Russian language only? (English language apps probably get more scrutiny, since the app reviewing is done by Apple in Cupertino...) Did anyone check with PayPal to see if the account has been closed and if refunds are due?
Does anyone know how the app approval process works exactly? Is there 1 person or a team responsible for every app submitted? Do they only look at the inputs/outputs and overall UI, or do they look at every line of code? For example, what if I write a game that does something malicious on level 39, beyond what the Apple inspectors will likely reach in playing the game during the review process? And what if Level 39 is not anything malicious on the network, contact, sms, phone level, but just displays something that may be considered malicious or against Apple policy, e.g. pornographic images? Just seems to me that there has got be ways to get past their inspection process if you know what it is, or even by guessing.
I thought Apple had, in a fairly recent iOS update, made it so that an app couldn't just silently query a person's contact data... that the application would need to declare to the OS that it was going to do this, the OS would then check with the user to see if it was okay. If the user hadn't given permission, I thought trying to access the contact data from an app would be futile.
Again, this was just my understanding here... so either this is only an issue with older iOS versions, or else my understanding is completely borked, and I have no idea what I'm talking about.
File under 'M' for 'Manic ranting'
InstaStock was malicious and was available on the app store. Why doesn't it count as the first?
This is just proof that Apple's rigorous app approval process consists solely of a dartboard.
This is going to be implemented in iOS6. (Privacy Settings) http://techcrunch.com/2012/06/12/more-ios-6-features-new-privacy-settings-share-widgets-revamped-store-apps-more/
Was curious how these guys could send text messages to people looking like they came from you (because there's no way for an app to get its hands on your phone number) - but realized from TFA that the user was prompted to enter their mobile phone number into a text box (and no validation was done on that). So, for idiots, it might look like it was coming from you. But there's no F'in way I'm entering my phone number into an app I download from the app store.
They are doing it in iOS 6, which hasn't been released yet. It is in Beta and should be released in the next couple of months.
The app is already gone off the App store, at least in the US.
- Vincit qui patitur.
One way to stop the proliferation of malware in these so-called app stores is to not allow the submission of binaries. Force the author to submit source code instead so it can be audited and then have Apple build the binaries. Apple could then put the binary through its paces to see how it behaves. I'm not necessarily advocating this method because there are multiple points for abuse but it is one way to thwart the problem. It would force the would-be malware writers to innovate and adapt and that would not be easily done.
Next thing you know they'll have to get their own botnet for the iphone and it probably won't even be compatible with the android botnet and they'll patent it, obviously.
Is it's sending an SMS!
My boss has yet to figure out how to do that with his glass brick. I always get MMSes, (which don't make a noise... hrm... maybe I shouldn't complain)
It was also available in the Google Play store too. With the hundreds of thousands of apps that they have to review, it was bound to happen sooner or later. Plenty of apps grab your address book info including the Facebook app. What it does with them Apple has little control over. Facebook could choose to spam them on their server side and Apple couldn't prevent it (other than no longer allowing apps to access contact info).
This is an enlightening bit of information.
While Android is well known for malware, Apple has prided itself on being free from malicious apps
I now have an excellent go-to example of what "begging the question" is. Great work!
...it drives traffic so why not.
this is buggy beta software. guess what, beta software has bugs, some bugs are worse than others. this one went all the way to eleven.
It's impossible for Apple to review every program or test it to a degree to ensure it's safety. All the bad guys need to do is produce a seemingly useful application which calls home for legitimate purposes, make it work as advertised and the remotely flip switch at some point into malicious mode. The malicious code could be obfuscated. It would be trivial to do and the bad guys would clearly know that too.
Is there no "Little Snitch" app out there?
Set your phasers on "funky"!
It's annoying that apple aren't implementing this security feature in iOS 5 (which will be the latest version of iOS that my iPad 1 will be able to run)
While Android is well known for malware,
in theory, and not in practice that is. the *only* thing that makes android more vulnerable is apple's more severe vetting for apps in their store, and the fact that android apps can be "side loaded", or installed from arbitrary sources (other than the google play store). side loaded is disabled by default and must be explicitly enabled by the user after subjecting them to a scary warning dialog.
android security model of fine-grained permissions that are presented to the user before the app is even installed is superior to iOS. what android doesn't do is protect users from their own stupidity. read the permissions. if you choose to go ahead and install that flashlight app that requests permission to the internet and to read your contacts, you'll get what you deserve.
But Steve'o said it's Unpossible!1
hmm same day that microsoft announced an android botnet no less. Guess it means if you want to be secure with your mobile phone you need to be using windows mobile 7... or 8 or something.
Or perhaps it's time to dump on the two main mobile o's in an effort to market windows phone.
Blarney Quality Restaurant, Plants
i thought it was going to be a story about the Facebook app. Oh well.
More like no one gives a shit about an OS that has no marketshare.
You can't access SMS from an app in iOS. Unless it's something that only affects jail broken phones, this is much ado about nothing.
Malware? Get real. Just hold your phone a different way. There are no security issues with Apple products.
The application is working as advertised, uploading data as allowed by the user.
The problem is that the company is not trustworthy for what it does with that data. This can be any company: Do you trust Google, Yelp or Facebook with your data? This is the decision you have to make with any app on any platform. Pretty much the only way around this would be for Apple to require privacy and data use policies with minimum protections for all developers, and then require them to be bonded against a misuse contrary to that policy.
the problem here is simple, bots do a lot of things for us. people using closed source have no idea that they can not even open a single app, without invoking a bot of some form. botnets get labled as bad things, funny but by people who don't understand the fundamental nature of bots, limitations of computers, etc. it is very simple, those who don't understand this get mislead. if you disabled every bot there might not even be a working computer to understand and explain things. if you pay close attention to sttng they are totally at the mercy of their computer in several episodes. yet they always find a silly or totally ficticious solution. botnets are a tool, one many people fear. which has left government and professional hackers, and a few children as the only people willing to mess with botnets. using apis to talk to them however is well documented, though programmers may not even be aware of what they are doing, when using high level programming languages etc. no i do not have any insider info, i just have a hobby using computers and i have seen how many games work for players, including the occasional glitch where scripted bots play video games (for cheaters)
https://www.gnu.org/philosophy/free-sw.html
but I'll be damned if I'll be the last to say it... on behalf of all Android and other non-iOS based phones, tablets, etc... in response to the self-satisfied smug shittiness of iAssholes who use Apple crap, thinking they're better than everyone else...
HHHHHHHHHHHHHHHHHHAAAAAAAAAAAAAAAAAAAAAAAA HHHHHHHHHHHHHHHHHAAAAAAAAAAAAAAAAAAAA!!!
Fuck you, Apple, and all your sycophant loser bitchtwat cultist users.
You may mod me down, moderator, but at least you read it, so my message got through at least once, and that's enough for me. :) ,,|,, Sit on it!
How much does it cost? I'll buy anything for $.99
So facebook is malware now ?
Maybe I'm being naive, but doesn't pretty much every consumer OS now allow apps basically universal access to a user's contacts database? Windows does, OS X does, iOS does (for now), and Windows Phone does. Android prompts for this access, and iOS will as well starting with iOS 6, but the reality is that this app is advertised as a communication app, so anyone downloading it would almost certainly grant the app this privilege. So is this malware? Sure. Is this big, surprising news? I'm having a hard time understanding why it would be, especially to readers of Slashdot. Unless you just want to point fingers at Apple of course.
Anyone who claims that CarrierIQ was actually the first malware in the app store for iOS is totally wrong. It was pre-installed by Apple on every phone. It was never available from the app store, so the headline is absolutely correct.
I'd love to go like in an apple store and change the background on the classic white apple on black... with a fat ass worm coming out of the apple!
I don't see this happening again easily.
The Applerati have long held an attitude of disdain for other platforms, while clinging to an illusion of invincibility inculcated by Apple marketing. It has always been a sham; researchers have repeatedly shown how Apple has introduced numerous vulnerabilities into OS X not present in its BSD antecedents.
Unfortunately, some Linux aficionados have been bitten by a similar bug. Nothing conceived by the human imagination is impervious to attack. Geek, secure thyself.
The app steals your contact data and uploads it to a remote server before sending spam SMS messages to all your contacts, but the messages look like they are coming from you.
I think my iPhone has had this virus for a while. It also randomly changes all your contact's email addresses and is particularly nasty. It's called "Facebook"