Apple has confirmed that 17 malware iPhone apps were removed from the App Store after successfully escaping from the company’s app review process.
The apps were all from a single developer but covered a wide range of areas, including a restaurant finder, internet radio, BMI calculator, video compressor, and GPS speedometer.
The apps were discovered by mobile security company Wandera, which said that the apps did what they claimed while secretly committing fraud in the background.
The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.
The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by increasing website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.
Although no direct harm was done to app users, the activity would be using up mobile data, as well as potentially slowing the phone and accelerating battery drain.
Wandera said the malware iPhone apps escaped Apple’s review process because the malicious code was not found within the app itself, but the apps were instead getting instructions on what to do from a remote server.
The apps communicate with a known command and control (C&C) server to simulate user interactions in order to fraudulently collect ad revenue.
Command & Control enables bad apps to bypass security checks because it activates a communication channel directly with the attacker that is not within Apple’s view. C&C channels can be used to distribute ads (like the ones used by the iOS Clicker Trojan), commands, and even payloads (such as a corrupt image file, a document or more). Simply put, C&C infrastructure is a ‘backdoor’ into the app that can lead to exploitation if and when a vulnerability is discovered or when the attacker chooses to activate additional code that may be hidden in the original app.
Apple says it is improving its app review process to detect this approach.
The same server was also controlling Android apps. In at least one of those cases, weaker security in Android meant that the app was able to do more direct harm.
Android apps communicating with the same server were gathering private information from the user’s device, such as the make and model of the device, the user’s country of residence and various configuration details.
One example involved users who had been fraudulently subscribed to expensive content services following the installation of an infected app. The apps were all from AppAspect Technologies.