Slashdot Mirror

← Back to Stories (view on slashdot.org)

First iOS Malware Discovered In Apple's App Store

Posted by timothy on from the still-a-pretty-good-track-record dept.

New submitter DavidGilbert99 writes "Security experts have discovered what is claimed to be the first ever piece of malware to be found in the Apple App Store. While Android is well known for malware, Apple has prided itself on being free from malicious apps ... until now. The app steals your contact data and uploads it to a remote server before sending spam SMS messages to all your contacts, but the messages look like they are coming from you."

46 of 171 comments (clear)

  1. First *malware* perhaps by GameboyRMH · · Score: 5, Interesting

    ...but years ago there was a tethering app disguised as a flashlight app so it's been possible for a long time.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
    1. Re:First *malware* perhaps by GameboyRMH · · Score: 4, Interesting

      With users relying entirely on the app store's curation process for security and a relatively low interest from the computer security community on the platform, I'd bet there are a lot of apps doing shady stuff with iOS users' personal data right now.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:First *malware* perhaps by jittles · · Score: 4, Informative

      I don't believe this is the first instance of iOS malware at all. Its the first time they have found it. And they only found it because the app author was stupid. There are probably tons of iOS apps that steal all of your contact info, you just have no way of knowing about it. I am pretty sure such apps have been acknowledged by apple in the past, and subsequently removed from the app store.

    3. Re:First *malware* perhaps by GameboyRMH · · Score: 5, Informative

      Addendum: Looks like I'm right:

      http://apple.slashdot.org/comments.pl?sid=2959773&cid=40554831

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    4. Re:First *malware* perhaps by mystikkman · · Score: 3, Insightful

      ...but years ago there was a tethering app disguised as a flashlight app so it's been possible for a long time.

      A tethering app is malware... but only according to Apple.
      For their users, it's an extremely useful piece of software.

    5. Re:First *malware* perhaps by Em+Adespoton · · Score: 3, Interesting

      This isn't even the first time they've found it... functionally, the app does nothing that the Facebook app doesn't do, except for forge your SMS credentials. I doubt Apple's going to be pulling the Facebook integration from iOS 6 though....

    6. Re:First *malware* perhaps by kelemvor4 · · Score: 3, Funny

      Addendum: Looks like I'm right:

      http://apple.slashdot.org/comments.pl?sid=2959773&cid=40554831

      You misunderstand. Apple tells users that this sharing of data is a feature, so it's not malware.

    7. Re:First *malware* perhaps by PaKL · · Score: 2

      At least Android tells me what an application tries to do, so I decide not to install it.

      And this is why I bought Permissions Pro. It enables me to lock permissions for programs that read "phone state" ect. And interestingly my battery consumption is much better for it, 1 day 20 hours with 48% remaining on my Galaxy S2.

  2. Are you sure? by Minwee · · Score: 5, Funny

    The app steals your contact data and uploads it to a remote server

    So it's just iCloud?

    1. Re:Are you sure? by evilRhino · · Score: 3, Informative

      Didn't the iOS LinkeIn App get caught doing similar over a month ago? http://blog.skycure.com/2012/06/linkedout-linkedin-privacy-issue.html

  3. sucks to be the 5 people to use this app by alen · · Score: 4, Funny

    i might download it just to give it some ranking in the top free apps

    otherwise it will be lost in the ocean of apps

  4. Trouble in paradise by DigiShaman · · Score: 2, Funny

    The garden walls have been breached! Oh noes!

    --
    Life is not for the lazy.
    1. Re:Trouble in paradise by jellomizer · · Score: 3, Insightful

      Well it was sneaky the way it got threw. In general what the App does in its description required it to pull all this data off your phone. Then it needed to send the data to the cloud to match the correct name to get their phone number. Thus, it seemed to do what it says with a normal code review.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Trouble in paradise by Mister+Whirly · · Score: 2, Insightful

      Oh, so becasue Android phones get infected too than that means we can all just pretend iPhones can't be. Brilliant! Thanks Anonymous Coward now I can go back about my business and stop all this ceaseless worrying!

      --
      "But this one goes to 11!"
  5. No doubt... by Shoten · · Score: 4, Insightful

    Some will say that the Apple App Store is "no longer secure." This is ridiculous. It took 5 years for the first malware to show up...that's pretty damned good. Nothing is impermeable, after all. But the real value is that the malware can easily be removed...and its source eradicated. So it's not only about keeping malware out via the App Store, but also in having a swift and flexible response option for just this sort of occasion. Good security fails gracefully and a good defense in depth allows for easy recovery, and it looks to me like Apple meets those criteria.

    --

    For your security, this post has been encrypted with ROT-13, twice.
    1. Re:No doubt... by unlucky+ducky · · Score: 4, Insightful

      This is the first found and publicly revealed malware, it does not necessarily have to be the first malware on the platform. We have no way of actually knowing whether there's already been other malware in the store before.

    2. Re:No doubt... by mlts · · Score: 2, Informative

      Once malware gets rooted out and Apple slams the banhammer down, it is a lot harder for a shady developer to get around closed accounts than on the Google Marketplace. This by itself keeps the bad guys on notice.

      That is the main security mechanism of iOS which keeps the bad stuff at bay: As soon as Apple gets wind of something malicious or violating the rules, it gets tossed out immediately. The same action doesn't get repeated.

      Now, once an app does get past the gatekeeper, it has a lot of room to play because only locations and alerts are granted/denied by the user. So, in theory, an app can copy pictures and contacts off, as well as send text messages all it wants. However, if users find something doing this, Apple squashes it.

      Since Apple's reputation is on the line for security, the strong gatekeeper has shown that it is more secure than the weak gatekeeper/strong OS security of the Android ecosystem. Google needs to get with it and start having a tier of the Marketplace that requires apps to be actively approved, similar to what Amazon does.

    3. Re:No doubt... by amicusNYCL · · Score: 4, Insightful

      Some will say that the Apple App Store is "no longer secure." This is ridiculous.

      Right, it would be more accurate to say that it never really was "secure", it was just heavily audited. It shouldn't be a surprise to anyone that malicious apps will manage to sneak through the audits from time to time.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    4. Re:No doubt... by rolfwind · · Score: 5, Insightful

      Some people tend to have an all-or-nothing nature, especially when it concerns something they go partisan over - like Apple.

      I've easily had dozens of arguments over the years where I argued Apple was the more secure solution for the average user, people responded with pwn to own or some such, and if I argued further, they just labeled me as a "fanboi" as if that ended the argument even if I argued the Unix underpinnings. Nevermind that I use W7 and Ubuntu myself, or that it's my own personal experience having to play tech support to an entire tech-challenged family that's both hardworking and lucky enough to afford to have a choice. Sure, I could put them on OpenBSD or HardenedLinux, but the first obstacle they run into, they say "Why can't I do yadayadayada" they'll go and find a way to install Windows on it, which is perfectly fine by itself, and start downloading mouse icons that look like toy trojan horses and what not.

      The mindset of Y turns out to not be perfect, so it's on the same level of X, must originate from politics because the whole feel of the debate seems political. It's a retarded mentality to have, akin to cheering for wrestlers and their bogus storylines. It's sad that it has crept into tech so pervasively and that's what the whole last decade felt like on any issue - stupid partisan cheerleading for one side or the other, or booing against one side or another.

      The truth of a walled garden is that it's the most practical solution for most consumers, who really don't or can't police what they're doing. I wouldn't want to live in one exclusively, nor would most geeks, but that's why they're geeks, they go above and beyond the artificial constraints and don't need the protection.

    5. Re:No doubt... by gl4ss · · Score: 4, Insightful

      it's not nearly the first ios app that sends contact infos off the phone for no particularly good reason.

      --
      world was created 5 seconds before this post as it is.
    6. Re:No doubt... by h4rr4r · · Score: 3, Interesting

      What stops that dev from spending another $99 on another dev account?
      Not that hard or expensive to kill your old corporation, start another and get a new AMEX.

    7. Re:No doubt... by mlts · · Score: 3, Insightful

      One answer would likely be tiers:

      The first tier would be actively approved apps.

      Then, if the user so chooses to set foot into Mordor, there can be a tier of apps that are downloadable almost immediately, and pulled if people justifiably report it as malicious.

      This type of system has worked on jailbroken phones, where the App store serves one tier, and Cydia serves another. Since it takes a little bit of effort to JB an iPhone, generally someone is clued enough to be able to watch out for Trojans.

      What this is protecting against, is arguably the biggest security hole of all; the user. Most smartphone users are not anywhere as savvy as a /. reader. The casual user will see an app that might offer "cool smilies", install it by reflex, and go on their merry way. On iOS, the damage a user can do is limited [1]. On Android, it is fairly easy to find apps that are malicious, and where a competent person would not install a fleshlight app that asks for full phone, GPS, contact, photos, and filesystem access (or even a prompt for a su), an inexperienced user will just click "install" nontheless, then scream that Android is insecure when they get bitten. iOS is designed to keep this from happening. Only beta code, Cydia apps, and enterprise apps are not coming through Apple's gateway. It is almost certain that the worst an iOS app can do is lighten the user's pocketbook due to its cost, or the cost of in-app transactions.

      This isn't exactly the "dancing bunnies" security hole, but protecting the ignorant user from themselves is the difference between a platform having a rep as secure versus easily compromised.

      I like both worlds. Have some barrier so a user doesn't exit the managed tier without a deliberate decision, then if they choose to, allow them to do what they want. This keeps the novices from footshooting while allowing people with a clue to use their device to the fullest.

      [1]: Assuming the user doesn't JB, but generally if someone is clued enough to jailbreak, they will either know what they are doing, or end up having a clued friend DFU restoring their device and not do it again.

    8. Re:No doubt... by CanHasDIY · · Score: 2

      They are starting to do this with iOS 6. I have they beta on my device and anytime an app wants access to your contacts, calendar information, reminders, and/or photos the OS asks the user if it's okay for the app to access such things.

      In other words... Windows UAC.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    9. Re:No doubt... by Crudely_Indecent · · Score: 4, Interesting

      It took 5 years for the first malware to show up.

      Wrong! It took 5 years for the first malware to be identified and publicly acknowledged.

      How many more exist secretly, awaiting a clever analyst?

      --


      "Lame" - Galaxar
    10. Re:No doubt... by stephanruby · · Score: 2

      Some will say that the Apple App Store is "no longer secure."

      Who cares about the Apple App Store no longer being secure if the iPhone itself lost that claim long ago? You iPhone users are just playing with semantics here. If your iPhone can be compromised by just being directed at a web site (as it did a while ago), it really doesn't matter much if the App Store is secure or not.

      Besides, I'm not even sure if the latter claim of the Apple App Store being secure is that true to begin with. Many iTunes users, including some app developers, have had their iTunes account credentials stolen and their account hijacked. In my opinion, that vulnerability at the server-side is just as bad as the previous iOS vulnerability on its client-side, since your iTunes account is pretty much used for everything -- including developer accounts.

      And the last time I checked, which granted is over one year ago (so my information is hopefully outdated by now), google users could add 2-factor authentication to their account, but iTunes users still couldn't.

    11. Re:No doubt... by Shoten · · Score: 4, Insightful

      it's not nearly the first ios app that sends contact infos off the phone for no particularly good reason.

      Very true...but despite my best efforts to raise awareness, Facebook has yet to be classified as a very large botnet :)

      --

      For your security, this post has been encrypted with ROT-13, twice.
    12. Re:No doubt... by adamstew · · Score: 2

      Kind of. It's a one-time request per App you install. It's more like Facebook's system of a user authorizing a Facebook app to access their data. The first time an App requests a particular type of data, UI from facebook pops up and says "here is what the app is requesting, do you want to allow it?"

      The way it works on iOS 6 is similar. The first time an App wants to access a protected type of data from the phone, UI from iOS pops up and asks if it's okay. It happens the first time and once you give permission you don't need to give it again. You can also revoke permission later from the device settings as well.

    13. Re:No doubt... by icebraining · · Score: 2

      So they finally caught up to Symbian? That's nice.

      --
      Dilbert RSS feed
    14. Re:No doubt... by Barefoot+Monkey · · Score: 3, Funny

      ...and where a competent person would not install a fleshlight app that asks for...

      Freudian slip?

  6. App is/was also available for Android by Anonymous Coward · · Score: 5, Informative

    So they targeted both groups.

  7. Not surprising... by Anonymous Coward · · Score: 5, Informative

    One of my beefs about iOS is that even though it will ask the user if an app attempts to use the GPS or notification, there are plenty of juicy things that can be obtained and copied elsewhere. Photos are protected against being deleted, but they can be slurped up and copied off without the user knowing. Same with contacts and music.

    I'm surprised this was caught. If a person jailbreaks their device and runs PMP (Protect My Privacy) and Firewall IP, they will see a lot of apps digging in places where they shouldn't be, and sending lots of data to sites that have zero relevance to the task at hand. One major news app connects to so many sites without DNS (just via IP addresses) that I ended up just blacklisting all but the few sites it gets news info.

    I would say where the rubber meets the road, iOS has been more secure, because Apple guards the gateway and does it well. However, if anything malicious does make it past, it can have a field day.

    1. Re:Not surprising... by samkass · · Score: 5, Insightful

      Yeah, this is fixed in iOS 6. Separate prompts for Location, Contacts, Calendars, Reminders, Photos, and after the fact you can see who requested it, who currently has access, and toggle them.

      My only complaint is that the App Store doesn't give you this information before you download the app. Developers should have to declare that they want to access any of these things (and show ads, and have in-app purchases), and the App Store listing should contain the information about what the app is going to want to do before you buy it.

      --
      E pluribus unum
  8. Re:This isn't new! by GameboyRMH · · Score: 2

    Damn, I knew it was a useless locked-in piece of shit, but I didn't know it was malware! And just today I told a coworker that it was fine to use (apart from the lockin and relative uselessness) on Blackberry.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  9. Details missing? by bhlowe · · Score: 2

    Any estimate of the number of people who installed it and ran it? Did it have a useful function that would get people to install it from the 500K other iOS apps? Did the app have any ratings that suggested that it was worth installing? Was the app Russian language only? (English language apps probably get more scrutiny, since the app reviewing is done by Apple in Cupertino...) Did anyone check with PayPal to see if the account has been closed and if refunds are due?

  10. I thought apps needed permission to see contacts by mark-t · · Score: 2

    I thought Apple had, in a fairly recent iOS update, made it so that an app couldn't just silently query a person's contact data... that the application would need to declare to the OS that it was going to do this, the OS would then check with the user to see if it was okay. If the user hadn't given permission, I thought trying to access the contact data from an app would be futile.

    Again, this was just my understanding here... so either this is only an issue with older iOS versions, or else my understanding is completely borked, and I have no idea what I'm talking about.

    --
    File under 'M' for 'Manic ranting'
  11. Why doesn't this count?! by Pulse301 · · Score: 4, Funny

    InstaStock was malicious and was available on the app store. Why doesn't it count as the first?

    1. Re:Why doesn't this count?! by realsilly · · Score: 3, Informative

      http://www.theregister.co.uk/2011/11/08/apple_excommunicates_charlie_miller/

      Here is a link to back up your post.

      --
      Life takes interesting turns, but the most interest is when you're off the beaten path.
  12. Re:Apple approval process by mr100percent · · Score: 2

    865,000 apps approved for the App Store, and yes, one got through. And you think it's nothing more than Apple randomly selecting apps to let in.

  13. From you? by dimer0 · · Score: 2

    Was curious how these guys could send text messages to people looking like they came from you (because there's no way for an app to get its hands on your phone number) - but realized from TFA that the user was prompted to enter their mobile phone number into a text box (and no validation was done on that). So, for idiots, it might look like it was coming from you. But there's no F'in way I'm entering my phone number into an app I download from the app store.

  14. Re:Apple approval process by MachDelta · · Score: 3, Insightful

    It would be more accurate to say one got caught. There could be others running wild that have slipped the net.

  15. Stopping malware by DaMattster · · Score: 3, Interesting

    One way to stop the proliferation of malware in these so-called app stores is to not allow the submission of binaries. Force the author to submit source code instead so it can be audited and then have Apple build the binaries. Apple could then put the binary through its paces to see how it behaves. I'm not necessarily advocating this method because there are multiple points for abuse but it is one way to thwart the problem. It would force the would-be malware writers to innovate and adapt and that would not be easily done.

  16. Meh by WankerWeasel · · Score: 3, Insightful

    It was also available in the Google Play store too. With the hundreds of thousands of apps that they have to review, it was bound to happen sooner or later. Plenty of apps grab your address book info including the Facebook app. What it does with them Apple has little control over. Facebook could choose to spam them on their server side and Apple couldn't prevent it (other than no longer allowing apps to access contact info).

  17. android well-known for malware? by farble1670 · · Score: 4, Insightful

    While Android is well known for malware,

    in theory, and not in practice that is. the *only* thing that makes android more vulnerable is apple's more severe vetting for apps in their store, and the fact that android apps can be "side loaded", or installed from arbitrary sources (other than the google play store). side loaded is disabled by default and must be explicitly enabled by the user after subjecting them to a scary warning dialog.

    android security model of fine-grained permissions that are presented to the user before the app is even installed is superior to iOS. what android doesn't do is protect users from their own stupidity. read the permissions. if you choose to go ahead and install that flashlight app that requests permission to the internet and to read your contacts, you'll get what you deserve.

  18. This isn't malware by Quila · · Score: 3, Insightful

    The application is working as advertised, uploading data as allowed by the user.

    The problem is that the company is not trustworthy for what it does with that data. This can be any company: Do you trust Google, Yelp or Facebook with your data? This is the decision you have to make with any app on any platform. Pretty much the only way around this would be for Apple to require privacy and data use policies with minimum protections for all developers, and then require them to be bonded against a misuse contrary to that policy.

  19. A question by Grayhand · · Score: 2
    "Security experts have discovered what is claimed to be the first ever piece of malware to be found in the Apple App Store"

    How much does it cost? I'll buy anything for $.99

  20. So whats the difference by EEPROMS · · Score: 2

    "The app steals your contact data and uploads it to a remote server before sending spam SMS messages to all your contacts, but the messages look like they are coming from you."

    So facebook is malware now ?