Malware Strikes Apple iOS App Store Again

tlhIngan writes "Well, it's happened again. Malware has slipped past Apple again and appeared in the iOS App Store. This time though, an iOS application came bundled with two Windows executables containing relatively old malware. It will not infect an iOS device nor Macs, but might affect Windows iTunes users. Looks like Apple needs to update their Windows malware scanner for iOS app submissions now."

A lot of work?

[Zibodiz]

This just seems like a lot of work to infect a windows PC. Especially considering the relatively good track record Apple has at preventing malware from appearing on their platform. I almost half wonder if this is more of a proof-of-concept for a bored hacker.

Re:A lot of work?

[Microlith]

Or more likely a case of ridiculous ineptness on behalf of the developer and incompetence on Apple's behalf. It is possible, despite protestations to the contrary.

Re:A lot of work?

Apple's incompetence? You are suggesting that Apple is responsible for detecting Malware that affects non-Apple OSes? Should they should look for Linux malware also?

And does this apply to other app stores? Should the Windows app store look for malware that affects Apple or Linux? How about Google Play?

Should Apple be responsible for detecting all possible variants of all known malware in Windows? Maybe they should be responsible for detecting zero-day exploits in Windows? Perhaps you'd like Apple to run a security group for Windows malware?

Re:A lot of work?

Apple doesn't have a responsibility to detect malware at all. They could just sell you the hardware and software and call you an idiot if you execute a program that does something you don't want.

It is however in their best interest to prevent their phone from becoming an infection vector through which their users' PCs could be compromised. Mostly because it will adversely affect sales if they don't.

Re:A lot of work?

[Ryanrule]

They sold it. They are liable.

Re:A lot of work?

[EGSonikku]

Liable for what? Show me a single user whose Computer was infected due to this app. If you read and understood the article you'd know you couldn't show me a single infected user.

Re:A lot of work?

[Em+Adespoton]

The way the malware shows up in the IPA, it looks like the developer opened the folder path on an infected Windows machine prior to packaging it up. The filenames indicate the folders were infected by live malware (as the malware names the dropped files after the folder it puts them in, which is the case here).

Re:A lot of work?

[cbiltcliffe]

Windows users still outnumber Mac users by a large margin. Considering even the summary says this was "relatively old," it would be trivial for Apple to set up an automated virus scan for app store submissions. I'd argue theyshould have been doing this all along.

Re:A lot of work?

[VanGarrett]

Should the Windows app store look for malware that affects Apple or Linux?

If they are going to be selling apps which may be expected to have an executable component on Apple or Linux machines, then yes.

Re:A lot of work?

[jrroche]

If Apple is going to market their walled garden as a safe alternative to the Mad Max dystopian hellscape of Google Play, with bands of pirates riding around on patchwork motorcycles, hunting down developers trying to make an honest living and unsuspecting users trying to play their "hit thing with bird" games -- then yes, Apple does have some responsibility to carry through on their end of that bargain. However, given the wild exaggeration of Siri's capabilities in their commercials, Apple seems to take its implied marketing promises pretty lightly.

Re:A lot of work?

[Ryanrule]

You are paying for software, and you get send a virus. You don't even know. It gets dropped into a folder you never even think to touch. Now this time, nothing happened. This time. If apple isn't firing people over this, then they do not know what they are doing.

Re:A lot of work?

[toriver]

What's the probability an iOS app ships with Windows executables inside at all? There is no point in checking for any theoretical content except that which can affect its intended environment: iOS. What next, look through included PDFs to see if they exploit bugs in Adobe Reader?

Re:A lot of work?

[amicusNYCL]

Apple's incompetence? You are suggesting that Apple is responsible for detecting Malware that affects non-Apple OSes? Should they should look for Linux malware also?

If they're going to run a "curated" app store, then wouldn't it stand to reason that they actually curate their app store? If you can bundle any random files in your app that you want to, and Apple will approve the app, then Apple is distributing those files for you. You could bundle child porn images using whatever filenames you want even, add them into an otherwise frivolous app, put that on the app store for $.99, advertise it wherever those things are currently advertised with instructions about how to extract the images, and voila. Not only is Apple selling your child porn for you, but they're taking a cut of the profits.

So yeah, Apple sort of does have a duty to look at the files in the packages that people submit, regardless of whether they are specifically looking for malware or anything else, and regardless of what OS it targets. You would think an app package distributed with Windows .exe files would raise a red flag, but apparently not. Why is that? Hold on to your fragile Apple sensibilities, because it just may be due to incompetence in Apple screening the app packages.

Re:This is becoming a trend

"Dr." Jobs?!

Non-story

It's not clear how this even an infection vector for windows computers. How does the payload get executed on a windows machine?
It's fairly clear that the dev somehow got malware files packed up in their iphone app package by accident, possibly because of an infected machine somewhere in the workflow. (Like developing content/art/etc on a windows computer)

Judging by the app name alone, it's probably psudo-spam useless shovelware developed by outsourced programmers. The sort of place where I'd expect to see low quality development/qa that would lead to this.

But really, can you fault apple for not catching windows malware on a non-x86, non-windows platform? Why would that even be on their radar?

Re:Non-story

[Applekid]

It's not clear how this even an infection vector for windows computers. How does the payload get executed on a windows machine?

Maybe that's phase 2.

Either way, I don't know why iOS applications are allowed to distribute windows executable files. While iOS malware is definitely Apple's fault when it happens, I guess you can't really argue that Windows malware is a problem if nothing tries to execute them, and execute them as Administrator after all.

More worrying is what ELSE is lurking in these packages that isn't inspected? What if someone is sneaking child porn in the .ipa that isn't accessed by the app proper? Kind of like how they [used to?] sell tiny plastic roses in little glass vials but the true intention is selling the glass vial as a crack pipe. There could be publishers selling stupid apps that those in-the-know are aware of the true contents.

Re:Non-story

[gnasher719]

Either way, I don't know why iOS applications are allowed to distribute windows executable files. While iOS malware is definitely Apple's fault when it happens, I guess you can't really argue that Windows malware is a problem if nothing tries to execute them, and execute them as Administrator after all.

There is probably just nothing that checks for this kind of nonsense. This is not a threat, just a big WTF.

Re:Non-story

[Mister+Whirly]

Lots of people using PCs and iTunes own Apple iPods. It would be fairly trivial to spread from an iPod connected to a PC to the PC itself. This is not an accident.

Re:Non-story

[EGSonikku]

No, it wouldn't be trivial. The end user would have to decompress the .ipa file manually on a PC, manually browse a few directories deep, and manually open the .exe.

There is no way for this malware to run itself at all, and a user would have to be intentionally TRYING to infect themselves for it to even run.

Re:Non-story

[EGSonikku]

Sigh, it is secure, or at least this "issue" doesn't show that it isn't secure. Even on a Windows PC, this app cannot infect you through iTunes. The ONLY WAY it can infect the user would be for the user to manually extract the contents of the .IPA (iPhone app), then dig through a bunch of folders, and then try to open the executable (and ignore warnings from Windows not to do so).

There is no way aside from that for this malware to install, infect, or spread.

...might affect Windows iTunes users?

[Anubis+IV]

The only way it might affect them is If they decide that they want to unpackage the app's .ipa package file, extract the two virus files, and then execute them, which only iOS developers and malware researchers might have a valid reason for actually doing. As they're currently packaged, however, they're entirely inert. They weren't even being flagged by Sophos and some of the other AV software out there because of how they were packaged and the fact that there was no way for them to execute.

This is a case of two inert files being accidentally bundled in an app package, which is a bit of a non-story, aside from the humorous aspect of it.

Re:...might affect Windows iTunes users?

[gl4ss]

it's possible that it's an attack on crackers. though you'd think that most of those fooling around with ios app decompilation would run osx...

Re:...might affect Windows iTunes users?

[EGSonikku]

Well, that's a bit complicated of a theory, not to mention there'd be zillions of easier ways to infect a PC. This is ignoring the fact that according to the apps reviews the app worked fine and wasn't 'throwing out errors'. It's a complete non-issue. Leave the tinfoil hat at home on this one.

Re:...might affect Windows iTunes users?

[Anubis+IV]

As I said, the files are inert, so they're not causing errors. Even if the developer inserted an error for malicious reasons, there are easier ways to get malware installed on people's systems. For instance, post a download that will "fix" the problem on your website, then point users to it. Either way, as soon as Apple becomes aware of what's happening, they'll take the app down, which is exactly what happened here already, and the malware gets instantly identified by most AV software once it's removed from the package, so that's a non-starter as well.

Re:...might affect Windows iTunes users?

[Anubis+IV]

Easy fix: use Gatekeeper, which will immediately disable any intruding apps that aren't recognized. After that, set up FaceTime to recognize any faces of known people and flag those who are unknown. The Dashboard can then chase them down, apprehend them using Stickies, and keep them locked up in the FileVault (assuming you have version 2).

Also, a moat filled with piranhas helps.

So to get infected..

[z4ce]

You must extract an IAP file for no reason at all, locate two windows binaries, and execute them... hmm.. sounds like a non-story to me.

What's with /.'s formatting?

[cpu6502]

I have both Lowbandwidth and Simple Design checked but it's still feeding me a complicated front page.

My Mac Sucks

I don't want to start a holy war here, but what is the deal with you Mac fanatics? I've been sitting here at my freelance gig in front of a Mac (a 8600/300 w/64 Megs of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium Pro 200 running NT 4, which by all standards should be a lot slower than this Mac, the same operation would take about 2 minutes. If that.

In addition, during this file transfer, Netscape will not work. And everything else has ground to a halt. Even BBEdit Lite is straining to keep up as I type this.

I won't bore you with the laundry list of other problems that I've encountered while working on various Macs, but suffice it to say there have been many, not the least of which is I've never seen a Mac that has run faster than its Wintel counterpart, despite the Macs' faster chip architecture. My 486/66 with 8 megs of ram runs faster than this 300 mhz machine at times. From a productivity standpoint, I don't get how people can claim that the Macintosh is a superior machine.

Mac addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a Mac over other faster, cheaper, more stable systems.

Re:My Mac Sucks

[Concerned+Onlooker]

The 1990s just called. They want their post back.

Re:My Mac Sucks

Whooooooooosh!

Re:My Mac Sucks

[drksolwiz]

modern Macs running on completely different hardware on a completely rewritten from scratch OS

I wouldn't call mirroring BSD Linux "from scratch"...

Re:My Mac Sucks

[Anubis+IV]

If only Apple hadn't been sitting on their hands for the last 15 years they might have actually made some improvements to the OS, the hardware, the design, their support, their included software, and their consistency since then. They may have even abandoned a slower hardware architecture in favor of a better one.

Ah, if only.

Re:My Mac Sucks

[EGSonikku]

When I say from scratch, I mean "nothing in common code wise from OS9". It'd be like comparing Win 3.1 codebase to Windows 8.

Re:My Mac Sucks

[EGSonikku]

I admit my error in phrasing that had nothing to do with the point being made.

Re:My Mac Sucks

[gl4ss]

i'd say it's an old copy-paste troll.

however, modern macs are pretty much in the "use it for a year and do a reinstall" territory because they do slow down(not sure why? spotlight db getting bloated? fs getting fragmented? don't know but it's affecting a lot of people..).

Re:My Mac Sucks

[sootman]

That's a well-know old comment that has been posted many times over the years.
  Half a million matches on Google.
  20 on Slashdot alone.
... and many more that didn't get modded up enough for Google to see, or didn't use that exact whole line. It has also been parodied a lot.

Re:My Mac Sucks

[Tarlus]

I don't want to start a holy war here, but here are four paragraphs of flamebait which don't really pertain to the subject of the news post.

Re:My Mac Sucks

[operagost]

That blog reads like Andy Rooney's would if he became a web designer in 1998.

Re:My Mac Sucks

[ZigMonty]

BSD Linux? Obvious troll is obvious.

Re:This is becoming a trend

[rherbert]

Getting an honorary doctorate doesn't mean that people should call him Dr. Jobs.

Slightly overblown issue?

[EGSonikku]

From the sound of things this doesn't seem like an intentional attempt to infect users co punters via the App Store.

The iOS app itself is NOT malware, and works as its supposed to. The malware is for Win32, and can do nothing on an iOS device, or a Mac, is located deep inside the .app folder directory, and has no way of launching itself. The only way for it to spread, or even run at all would be:

Windows user browses to the iTunes backup folder
For no particular reason at all decides to extract the contents of the .app file
Decides to dig down a few directoies inside of that
Out of boredom decides to run the the infected .exe.

Rather than an intentional attempt to sneak Malware onto the App Store, it sounds more likely to me that the developer of the app was infected themselves, and unknowingly packaged it in the iOS app. Granted, Apple should be doing a virus scan before approving an App, but this malware is DOA barring the extremely unlikely scenario a user would have to do that I listed above for any chance of infection.

Re:Slightly overblown issue?

[robbo]

Suppose an attacker knows the user has this app installed and can induce them to click a link like "file://{path}/malware.exe", either through ITMS or in some other browsing context... the malware is no longer inert.

Re:Slightly overblown issue?

[Calibax]

Why exactly should Apple be doing a security scan for non-Apple malware? If the various app stores are responsible for checking for non-executable viruses on all platforms then Google Play should be looking for malware applicable to Windows, Apple or Linux. And by this logic the Windows store (when it appears) should be checking for malware on all platforms also.

It's hard enough to stay on top of malware for your own platform, why should vendors be on top of malware aimed at other platforms? Especially as the malware files would never be executed on those platforms as they are inside non-executable containers, and the OS would have no reason to look inside those containers.

Re:Slightly overblown issue?

[Anubis+IV]

Except that the file isn't navigable via a path like that, since the app's package is compressed. You'd need to extract the files before you could access them like that.

Re:Slightly overblown issue?

[Anubis+IV]

While I agree with you to some extent, I don't think that making a best effort to be a good neighbor is a bad idea. It's simple to check, and even if you don't have 100% accuracy, the worst you're doing is setting yourself up as a carrier of inert files. Granted, that's not very neighborly, but it's not the end of the world either, except for PR reasons.

Re:Slightly overblown issue?

[EGSonikku]

Not possible. For one, it's inside of an .IPA file, so the user would have to decide to manually extract the files, THEN run "file://{path}/malware.exe". At which point Windows would ask if you know WTF you are doing, and even saying yes at that point, an up to date Windows Defender would kill it.

Re:Slightly overblown issue?

[Aryeh+Goretsky]

Hello,

Some operating system and application developers--and online stores--scan all files with a battery of anti-malware programs before releasing them. This allows them not just to check for malicious code embedded in those files, but to avoid reports of a false positive detections on files they are going to distribute before they are released.

Many anti-malware programs are available on multiple platforms (Windows, OS X, Linux, BSD, Solaris, and so forth) and their databases are cross platform as well, e.g., the Windows version will detect malicious software not just for Windows, but for the other platforms, including mobile ones like WinCE, Symbian and Android.

Typically, the only time you limit detection to a specific platform is for mobile versions of an anti-malware product. Those devices are storage and memory constrained, so it makes more sense to just look for the threats which either (1) target that particular platform; or (2) are cross-platform and capable of affecting the mobile device (J2ME comes to mind). This would not be an issue when using the desktop or server version of an anti-malware program.

In this case, it sounds like Apple is either not pre-scanning submitted files for malicious code, or they are not using enough different anti-malware scanners to catch this. Depending upon the number of customers, potential for brand damage and even possibly the costs of legal action resulting from even accidentally distributing malware in your software (or through your online store) it makes sense to use a dozen or two anti-malware programs to check things--or even more as the situation warrants. Simply scanning with just a few programs, even five or six, isn't going to cut it, especially if one of those products is an OEM'd version of another you already use, as it's just going to report the same things as the product it's derived from.

Regards,

Aryeh Goretsky

Re:Yes. Rev. Dr. Jobs.

[Concerned+Onlooker]

Don't be so humble. You're not that great.

Re:Apple probably wrote it...

MS Office runs just fine on my Mac. Which version are you using?

A whole lot of retardness

[TheSkepticalOptimist]

How does Windows malware get into an iOS app package? You can generally only develop iOS apps on OS X, so someone either purposely put it there, or has some retarded app development setup that managed to suck a windows virus into an iOS package..

Then it got deployed by Apple.

Then in order for it to infect a target PC, you got to screw around with the iOS package file on WIndows and then purposely run content (and ignore ALL the Windows warnings). Also the malware is generally already covered by most Windows anti-virus, so it would only be deployed if you didn't have anything installed, or not up-to-date in the last few years.

So I consider this an epic fail for all involved, Apple, Microsoft, the developer, the hacker, and anyone this infects because they are all being retarded.

Re:A whole lot of retardness

[toriver]

You could intentionally add a .exe file as a resource to your Foo project, it would get included in the resulting Foo.ipa archive, but to actually run it would have to be extracted from it, which would largely be pointless to do - except if a recipient is a mischievous "asset borrower" who wants to use your game's fancy sprites in his game.

Re:Seems like a pretty solid distribution model

[EGSonikku]

It's literally impossible for what you describe to work. iTunes can't be made to decompress a purchased ipa file and randomly run a windows executable in a random folder. If you knew anything about how .ipa's, iTunes, or had bothered to read and understand the article you'd know the only way for this malware to do anything would be for a windows user to follow a specific (and unlikely as hell) set of steps and intentionally infect themselves.

Re:Sounds a bit like flash of MS to me

[EGSonikku]

No, it's a "You didn't read or understand the article" distortion field.

No story here, right Apple?

[bbbaldie]

Affects Windows. And we care why...?

overblown issue or not?

[dhomstad]

So it seems everyone is not too concerned about the ability to bring malware unscathed through Apple app store? I understand the malware was a windows virus was packaged up quite well in the app, and dormant unless unpackaged and executables were ran. However, wouldn't it be possible to offer an update to the app that, if connected to a windows computer, unpacks and maybe even attempts to execute? If not through an update, perhaps offer a different app that performs the functionality? I realize these questions are far out there, but to me, passing malware through the screening process should be the hard part.

Re:overblown issue or not?

[EGSonikku]

No, because the app, and any update done to it are still iOS apps. They run on your iPhone, iPod, or iPad. There is no way for them to run code on a Windows PC to extract files from itself and run the malware.

hmph

[CosaNostra+Pizza+Inc]

Gee, I thought Apple's walled-garden approach was supposed to be really secure. I've seen a lot of Apple fanboys on slashdot recently mocking the Android model? Where are they now?

Re:hmph

[EGSonikku]

I'm right here, and if you'd read the article you'd know this is a complete non-issue. I'd explain why yet again, but instead I'll tell you to see my previous explanation in these comments, or many others explanations, or advise you to read the article.

Re:hmph

[devleopard]

You don't have to be an "Apple fanboy"; you only need to be a competent Slashdot user. A quick search on Slashdot shows dozens of articles about Android malware, dating back to March 2010. iOS is up to 2, both of which are recent.

Re:hmph

[CosaNostra+Pizza+Inc]

In grad school. I did a research paper comparing security between Android and IOS. I cited white papers for my information. There have been plenty of vulnerabilities in IOS and those are only the ones we've heard about. Apple's approach allows them to be secretive about security holes and fix them quietly...should they choose to do so. One of the big reason you hear so much about Android flaws is because the public community finds the flaws and naturally, makes the news public. While to the uninformed this appears to hurt Android's reputation, it actually allows for quick, practical solutions to security holes from the vast collective of the Android programming community (of which I'm a member). Whereas with IOS, you have a small collection of paid programmers searching for issues and fixing them, depending on severity of the issue, public awareness of the issue, and available resources at Apple to do the job.

Name of the app

[hey+hey+hey]

Oddly missing from the summary, the name of the infected App: "Instaquotes Quotes Cards for Instagram"

Not really fair..

[anomaly256]

Did anyone else stop and think 'That's not really fair, Mountain Lion isn't THAT bad' when they read the headline?