Apple’s operating system and software architecture have always been known for security, thanks to Apple’s rigorous review of applications to ensure that applications are not malicious. In general, users who download apps through the Apple Store rarely encounter malware, but of course, malware developers will find ways to pass Apple detection. For example, some researchers from Wandera’s threat research team have detected 17 malware apps submitted by the same developer when analyzing some applications in the Apple Store.
The group of 17 infected apps covers a random set of application categories, including productivity, platform utilities, and travel. The full list of infected apps appears below:
- RTO Vehicle Information
- EMI Calculator & Loan Planner
- File Manager – Documents
- Smart GPS Speedometer
- CrickOne – Live Cricket Scores
- Daily Fitness – Yoga Poses
- FM Radio – Internet Radio
- My Train Info – IRCTC & PNR (not listed under developer profile)
- Around Me Place Finder
- Easy Contacts Backup Manager
- Ramadan Times 2019
- Restaurant Finder – Find Food
- BMI Calculator – BMR Calc
- Dual Accounts
- Video Editor – Mute Video
- Islamic World – Qibla
- Smart Video Compressor
Researchers conducted targeted analysis and found that these applications are mainly engaged in advertising fraud, and strictly speaking, it does not directly damage users, such as stealing data. In the so-called advertising fraud, the built-in malicious module simulates the user operation to click on the advertisement, and the developer can use this strategy to earn high advertising fees. For users, these apps will continue to run in the background (requires users to allow them to run in the background), and simulated click ads will also consume device power and network traffic. In addition, if the user installs a variety of malicious programs provided by this developer, it may consume more hardware resources and cause the device to become crash.
In this case, it also shows that Apple has some shortcomings in application review, mainly because malicious developers will look for potential vulnerabilities for Apple’s audit strategy. For example, the applications themselves do not have malicious code, so Apple will not refuse to be on the shelves. After the user installs, the application will communicate with the remote server to obtain instructions. The application then operates in accordance with the operational instructions issued by the remote server, such as collecting device information to obtain advertisements and then simulating the user clicking on the advertisements. For such an application behavior that operates by fetching instructions with a remote server, Apple can’t completely limit the developer’s use of the server. But Apple also admits that there are indeed deficiencies in this case, so Apple is also evaluating the potential malicious behavior of the audit mechanism used to detect certain modules.