Slashdot Mirror

← Back to Stories (view on slashdot.org)

First iOS Malware Discovered In Apple's App Store

Posted by timothy on from the still-a-pretty-good-track-record dept.

New submitter DavidGilbert99 writes "Security experts have discovered what is claimed to be the first ever piece of malware to be found in the Apple App Store. While Android is well known for malware, Apple has prided itself on being free from malicious apps ... until now. The app steals your contact data and uploads it to a remote server before sending spam SMS messages to all your contacts, but the messages look like they are coming from you."

18 of 171 comments (clear)

  1. First *malware* perhaps by GameboyRMH · · Score: 5, Interesting

    ...but years ago there was a tethering app disguised as a flashlight app so it's been possible for a long time.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
    1. Re:First *malware* perhaps by GameboyRMH · · Score: 4, Interesting

      With users relying entirely on the app store's curation process for security and a relatively low interest from the computer security community on the platform, I'd bet there are a lot of apps doing shady stuff with iOS users' personal data right now.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:First *malware* perhaps by jittles · · Score: 4, Informative

      I don't believe this is the first instance of iOS malware at all. Its the first time they have found it. And they only found it because the app author was stupid. There are probably tons of iOS apps that steal all of your contact info, you just have no way of knowing about it. I am pretty sure such apps have been acknowledged by apple in the past, and subsequently removed from the app store.

    3. Re:First *malware* perhaps by GameboyRMH · · Score: 5, Informative

      Addendum: Looks like I'm right:

      http://apple.slashdot.org/comments.pl?sid=2959773&cid=40554831

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. Are you sure? by Minwee · · Score: 5, Funny

    The app steals your contact data and uploads it to a remote server

    So it's just iCloud?

  3. sucks to be the 5 people to use this app by alen · · Score: 4, Funny

    i might download it just to give it some ranking in the top free apps

    otherwise it will be lost in the ocean of apps

  4. No doubt... by Shoten · · Score: 4, Insightful

    Some will say that the Apple App Store is "no longer secure." This is ridiculous. It took 5 years for the first malware to show up...that's pretty damned good. Nothing is impermeable, after all. But the real value is that the malware can easily be removed...and its source eradicated. So it's not only about keeping malware out via the App Store, but also in having a swift and flexible response option for just this sort of occasion. Good security fails gracefully and a good defense in depth allows for easy recovery, and it looks to me like Apple meets those criteria.

    --

    For your security, this post has been encrypted with ROT-13, twice.
    1. Re:No doubt... by unlucky+ducky · · Score: 4, Insightful

      This is the first found and publicly revealed malware, it does not necessarily have to be the first malware on the platform. We have no way of actually knowing whether there's already been other malware in the store before.

    2. Re:No doubt... by amicusNYCL · · Score: 4, Insightful

      Some will say that the Apple App Store is "no longer secure." This is ridiculous.

      Right, it would be more accurate to say that it never really was "secure", it was just heavily audited. It shouldn't be a surprise to anyone that malicious apps will manage to sneak through the audits from time to time.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    3. Re:No doubt... by rolfwind · · Score: 5, Insightful

      Some people tend to have an all-or-nothing nature, especially when it concerns something they go partisan over - like Apple.

      I've easily had dozens of arguments over the years where I argued Apple was the more secure solution for the average user, people responded with pwn to own or some such, and if I argued further, they just labeled me as a "fanboi" as if that ended the argument even if I argued the Unix underpinnings. Nevermind that I use W7 and Ubuntu myself, or that it's my own personal experience having to play tech support to an entire tech-challenged family that's both hardworking and lucky enough to afford to have a choice. Sure, I could put them on OpenBSD or HardenedLinux, but the first obstacle they run into, they say "Why can't I do yadayadayada" they'll go and find a way to install Windows on it, which is perfectly fine by itself, and start downloading mouse icons that look like toy trojan horses and what not.

      The mindset of Y turns out to not be perfect, so it's on the same level of X, must originate from politics because the whole feel of the debate seems political. It's a retarded mentality to have, akin to cheering for wrestlers and their bogus storylines. It's sad that it has crept into tech so pervasively and that's what the whole last decade felt like on any issue - stupid partisan cheerleading for one side or the other, or booing against one side or another.

      The truth of a walled garden is that it's the most practical solution for most consumers, who really don't or can't police what they're doing. I wouldn't want to live in one exclusively, nor would most geeks, but that's why they're geeks, they go above and beyond the artificial constraints and don't need the protection.

    4. Re:No doubt... by gl4ss · · Score: 4, Insightful

      it's not nearly the first ios app that sends contact infos off the phone for no particularly good reason.

      --
      world was created 5 seconds before this post as it is.
    5. Re:No doubt... by Crudely_Indecent · · Score: 4, Interesting

      It took 5 years for the first malware to show up.

      Wrong! It took 5 years for the first malware to be identified and publicly acknowledged.

      How many more exist secretly, awaiting a clever analyst?

      --


      "Lame" - Galaxar
    6. Re:No doubt... by Shoten · · Score: 4, Insightful

      it's not nearly the first ios app that sends contact infos off the phone for no particularly good reason.

      Very true...but despite my best efforts to raise awareness, Facebook has yet to be classified as a very large botnet :)

      --

      For your security, this post has been encrypted with ROT-13, twice.
  5. App is/was also available for Android by Anonymous Coward · · Score: 5, Informative

    So they targeted both groups.

  6. Not surprising... by Anonymous Coward · · Score: 5, Informative

    One of my beefs about iOS is that even though it will ask the user if an app attempts to use the GPS or notification, there are plenty of juicy things that can be obtained and copied elsewhere. Photos are protected against being deleted, but they can be slurped up and copied off without the user knowing. Same with contacts and music.

    I'm surprised this was caught. If a person jailbreaks their device and runs PMP (Protect My Privacy) and Firewall IP, they will see a lot of apps digging in places where they shouldn't be, and sending lots of data to sites that have zero relevance to the task at hand. One major news app connects to so many sites without DNS (just via IP addresses) that I ended up just blacklisting all but the few sites it gets news info.

    I would say where the rubber meets the road, iOS has been more secure, because Apple guards the gateway and does it well. However, if anything malicious does make it past, it can have a field day.

    1. Re:Not surprising... by samkass · · Score: 5, Insightful

      Yeah, this is fixed in iOS 6. Separate prompts for Location, Contacts, Calendars, Reminders, Photos, and after the fact you can see who requested it, who currently has access, and toggle them.

      My only complaint is that the App Store doesn't give you this information before you download the app. Developers should have to declare that they want to access any of these things (and show ads, and have in-app purchases), and the App Store listing should contain the information about what the app is going to want to do before you buy it.

      --
      E pluribus unum
  7. Why doesn't this count?! by Pulse301 · · Score: 4, Funny

    InstaStock was malicious and was available on the app store. Why doesn't it count as the first?

  8. android well-known for malware? by farble1670 · · Score: 4, Insightful

    While Android is well known for malware,

    in theory, and not in practice that is. the *only* thing that makes android more vulnerable is apple's more severe vetting for apps in their store, and the fact that android apps can be "side loaded", or installed from arbitrary sources (other than the google play store). side loaded is disabled by default and must be explicitly enabled by the user after subjecting them to a scary warning dialog.

    android security model of fine-grained permissions that are presented to the user before the app is even installed is superior to iOS. what android doesn't do is protect users from their own stupidity. read the permissions. if you choose to go ahead and install that flashlight app that requests permission to the internet and to read your contacts, you'll get what you deserve.