Security researchers discovered 17 malicious iPhone apps that managed to get through Apple's review process and land on the App Store. The infected apps, which have now been removed, had been infected with clicker trojan malware "designed to carry out ad fraud related tasks in the background," such as clicking on links and continuously opening webpages.
"The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network," researchers at security firm Wandera state in a blog post.
All of the apps came from the same developer, though they represented a wide range of uses, including a file manager, a GPS speedometer, a fitness app with Yoga poses, and a restaurant finder, to name just a few. Here is the full list of the 17 infected apps...
- RTO Vehicle Information
- EMI Calculator & Loan Planner
- File Manager – Documents
- Smart GPS Speedometer
- CrickOne – Live Cricket Scores
- Daily Fitness – Yoga Poses
- FM Radio – Internet Radio
- My Train Info – IRCTC & PNR (not listed under developer profile)
- Around Me Place Finder
- Easy Contacts Backup Manager
- Ramadan Times 2019
- Restaurant Finder – Find Food
- BMI Calculator – BMR Calc
- Dual Accounts
- Video Editor – Mute Video
- Islamic World – Qibla
- Smart Video Compressor
It seems the apps managed to evade Apple's review process because they did not contain any obvious code linked to malware. Instead, they communicated with a command and control (C&C) server "using a strong encryption cipher," which in turn instructed the apps to carry out fraudulent behavior.
"Command & Control enables bad apps to bypass security checks because it activates a communication channel directly with the attacker that is not within Apple’s view. C&C channels can be used to distribute ads (like the ones used by the iOS Clicker Trojan), commands, and even payloads (such as a corrupt image file, a document or more). Simply put, C&C infrastructure is a ‘backdoor’ into the app which can lead to exploitation if and when a vulnerability is discovered or when the attacker chooses to activate additional code that may be hidden in the original app," Wandera said.
Fortunately, Apple has removed the infected applications from the App Store. Furthermore, Apple says it is taking further measures to prevent this sort thing in the future, multiple outlets report.