First iOS Malware Discovered In Apple's App Store 171
New submitter DavidGilbert99 writes "Security experts have discovered what is claimed to be the first ever piece of malware to be found in the Apple App Store. While Android is well known for malware, Apple has prided itself on being free from malicious apps ... until now. The app steals your contact data and uploads it to a remote server before sending spam SMS messages to all your contacts, but the messages look like they are coming from you."
First *malware* perhaps (Score:5, Interesting)
...but years ago there was a tethering app disguised as a flashlight app so it's been possible for a long time.
Re:First *malware* perhaps (Score:4, Insightful)
...but years ago there was a tethering app disguised as a flashlight app so it's been possible for a long time.
A tethering app is malware... but only according to Apple.
For their users, it's an extremely useful piece of software.
Re: (Score:2)
a tethering app is malware to verizon too, since you need to pay to use the official tethering solution. which is called mobile hotspot.
Re: (Score:2)
Re: (Score:2)
3rd there was also a sega app ages ago that was stealing voucher and cc funds.
Re:First *malware* perhaps (Score:5, Interesting)
With users relying entirely on the app store's curation process for security and a relatively low interest from the computer security community on the platform, I'd bet there are a lot of apps doing shady stuff with iOS users' personal data right now.
Re:First *malware* perhaps (Score:5, Informative)
Addendum: Looks like I'm right:
http://apple.slashdot.org/comments.pl?sid=2959773&cid=40554831 [slashdot.org]
Re:First *malware* perhaps (Score:4, Funny)
Addendum: Looks like I'm right:
http://apple.slashdot.org/comments.pl?sid=2959773&cid=40554831 [slashdot.org]
You misunderstand. Apple tells users that this sharing of data is a feature, so it's not malware.
Re: (Score:2)
With users relying entirely on the app store's curation process for security and a relatively low interest from the computer security community on the platform, I'd bet there are a lot of apps doing shady stuff with iOS users' personal data right now.
While this may be true, this absolutely does not excuse Apple's actions (or lack thereof) to properly scrutinize apps in their own store.
Sorry, but when I read the words "steals your contact data and uploads it to a remote server before sending spam SMS messages", I have little reason to excuse someone at Apple for not using something as simple as a fucking network analyzer to discover this way before it went public. They are certainly in no mad rush to approve submissions.
Re: (Score:2)
At least Android tells me what an application tries to do, so I decide not to install it.
And this is why I bought Permissions Pro. It enables me to lock permissions for programs that read "phone state" ect. And interestingly my battery consumption is much better for it, 1 day 20 hours with 48% remaining on my Galaxy S2.
Re: (Score:2)
Oh please, Android has had built-in controls for application data access better than iOS6's for ages, and with the ability to sideload you don't have to mod the phone significantly to add security tools to it, of which there are many. And of course without the need to register with the manufacturer and pay a $100 yearly subscription to distribute apps to up to 100 of your friends (no limit on Android), there will be more malware. Crushing authoritarianism reduces crime, I won't argue with that.
Re:First *malware* perhaps (Score:5, Informative)
Re:First *malware* perhaps (Score:4, Interesting)
This isn't even the first time they've found it... functionally, the app does nothing that the Facebook app doesn't do, except for forge your SMS credentials. I doubt Apple's going to be pulling the Facebook integration from iOS 6 though....
Re: (Score:2)
hmm same day that microsoft announced an android botnet no less. Guess it means if you want to be secure with your mobile phone you need to be using windows mobile 7... or 8 or something.
Or perhaps it's time to dump on the two main mobile o's in an effort to market windows phone.
Re: (Score:2)
the problem here is simple, bots do a lot of things for us. people using closed source have no idea that they can not even open a single app, without invoking a bot of some form. botnets get labled as bad things, funny but by people who don't understand the fundamental nature of bots, limitations of computers, etc. it is very simple, those who don't understand this get mislead. if you disabled every bot there might not even be a working computer to understand and explain things. if you pay close attention t
Are you sure? (Score:5, Funny)
The app steals your contact data and uploads it to a remote server
So it's just iCloud?
Re:Are you sure? (Score:4, Informative)
sucks to be the 5 people to use this app (Score:5, Funny)
i might download it just to give it some ranking in the top free apps
otherwise it will be lost in the ocean of apps
Re: (Score:2)
The App's in Russian -- there's likely very few users (other than security researchers) outside of iTunes Russia who've downloaded it (until now).
Re: (Score:2, Funny)
Re:Trouble in paradise (Score:4, Insightful)
Well it was sneaky the way it got threw. In general what the App does in its description required it to pull all this data off your phone. Then it needed to send the data to the cloud to match the correct name to get their phone number. Thus, it seemed to do what it says with a normal code review.
Re: (Score:2)
The garden walls have been breached! Oh noes!
Don't worry, a fleet of drones disguised as Angry Birds are closing in on the miscreant developer. Perhaps you'd like to buy an app that controls them?
Re: (Score:2)
A few people might even go for an app to control / patrol U.S. borders. It'd be an unusual way to avoid paying some salaries. Best not to give them missiles though!
Who knows, maybe even the Incredible Hulk would go for that. I was a little surprised when I saw that he (the actor) signed up as a reserve deputy on the central California coast. The article noted he was also one in Santa Monica near Los Angeles. Then a peek at the wikipedia showed this:
"In November 2010, Ferrigno was sworn in as a member o
Re: (Score:3, Insightful)
Re: (Score:2)
Perhaps, but the time it takes to read this article someone from google / OSS community will actually fix the problem.
Meanwhile, Apple first has to deny there is a problem, wait until people / media outlets nag them about the problem, then they'll attempt to release a fix that doesn't work, eventually tying it into an os release which requires the users to redownload iTunes, QuickTime and a iOS image that only a small number of the Apple market bother doing.
No doubt... (Score:4, Insightful)
Some will say that the Apple App Store is "no longer secure." This is ridiculous. It took 5 years for the first malware to show up...that's pretty damned good. Nothing is impermeable, after all. But the real value is that the malware can easily be removed...and its source eradicated. So it's not only about keeping malware out via the App Store, but also in having a swift and flexible response option for just this sort of occasion. Good security fails gracefully and a good defense in depth allows for easy recovery, and it looks to me like Apple meets those criteria.
Re:No doubt... (Score:4, Insightful)
Re: (Score:2)
Think again.
"The first Malware found in the App Store". There can be any number of other malware apps in the App Store that just have not been found/ recognized yet.
Re: (Score:1)
iOS would still be more secure if they applied the same options they do for location services to other sensitive functionality. That is let the user enable/disable it for specific apps.
Re: (Score:2)
They are starting to do this with iOS 6. I have they beta on my device and anytime an app wants access to your contacts, calendar information, reminders, and/or photos the OS asks the user if it's okay for the app to access such things.
Re: (Score:3)
They are starting to do this with iOS 6. I have they beta on my device and anytime an app wants access to your contacts, calendar information, reminders, and/or photos the OS asks the user if it's okay for the app to access such things.
In other words... Windows UAC.
Re: (Score:3)
Kind of. It's a one-time request per App you install. It's more like Facebook's system of a user authorizing a Facebook app to access their data. The first time an App requests a particular type of data, UI from facebook pops up and says "here is what the app is requesting, do you want to allow it?"
The way it works on iOS 6 is similar. The first time an App wants to access a protected type of data from the phone, UI from iOS pops up and asks if it's okay. It happens the first time and once you give per
Re: (Score:3)
So they finally caught up to Symbian? That's nice.
Re: (Score:2)
Doesn't BlackberryOS do this? Apple really should take a page from that PlayBook and have permissions for apps accessing the phone or text items, contacts, music, and photos. It wouldn't add that much clutter, and it would add a lot of protection.
On the cheap, maybe Apple should see about licensing the Cydia app Protect My Privacy and building that into the OS. That way, if an app does go and access stuff it shouldn't, it will get results, although it will just get a random UDID and garbage in the fields
Re: (Score:3, Informative)
Once malware gets rooted out and Apple slams the banhammer down, it is a lot harder for a shady developer to get around closed accounts than on the Google Marketplace. This by itself keeps the bad guys on notice.
That is the main security mechanism of iOS which keeps the bad stuff at bay: As soon as Apple gets wind of something malicious or violating the rules, it gets tossed out immediately. The same action doesn't get repeated.
Now, once an app does get past the gatekeeper, it has a lot of room to play b
Re:No doubt... (Score:4, Interesting)
What stops that dev from spending another $99 on another dev account?
Not that hard or expensive to kill your old corporation, start another and get a new AMEX.
Re: (Score:2)
What stops that dev from spending another $99 on another dev account?
Not that hard or expensive to kill your old corporation, start another and get a new AMEX.
Apple will just write a GUI in Visual Basic and track their IP address.
Re:No doubt... (Score:4, Insightful)
One answer would likely be tiers:
The first tier would be actively approved apps.
Then, if the user so chooses to set foot into Mordor, there can be a tier of apps that are downloadable almost immediately, and pulled if people justifiably report it as malicious.
This type of system has worked on jailbroken phones, where the App store serves one tier, and Cydia serves another. Since it takes a little bit of effort to JB an iPhone, generally someone is clued enough to be able to watch out for Trojans.
What this is protecting against, is arguably the biggest security hole of all; the user. Most smartphone users are not anywhere as savvy as a /. reader. The casual user will see an app that might offer "cool smilies", install it by reflex, and go on their merry way. On iOS, the damage a user can do is limited [1]. On Android, it is fairly easy to find apps that are malicious, and where a competent person would not install a fleshlight app that asks for full phone, GPS, contact, photos, and filesystem access (or even a prompt for a su), an inexperienced user will just click "install" nontheless, then scream that Android is insecure when they get bitten. iOS is designed to keep this from happening. Only beta code, Cydia apps, and enterprise apps are not coming through Apple's gateway. It is almost certain that the worst an iOS app can do is lighten the user's pocketbook due to its cost, or the cost of in-app transactions.
This isn't exactly the "dancing bunnies" security hole, but protecting the ignorant user from themselves is the difference between a platform having a rep as secure versus easily compromised.
I like both worlds. Have some barrier so a user doesn't exit the managed tier without a deliberate decision, then if they choose to, allow them to do what they want. This keeps the novices from footshooting while allowing people with a clue to use their device to the fullest.
[1]: Assuming the user doesn't JB, but generally if someone is clued enough to jailbreak, they will either know what they are doing, or end up having a clued friend DFU restoring their device and not do it again.
Re:No doubt... (Score:4, Funny)
...and where a competent person would not install a fleshlight app that asks for...
Freudian slip?
Re: (Score:2)
Then, if the user so chooses to set foot into Mordor, there can be a tier of apps that are downloadable almost immediately, and pulled if people justifiably report it as malicious.
That's called jailbreaking.
I didn't see Apple taking a strong stance against this.
They did say it was wrong and bad and talked a lot, but no real action was taken against jailbreaking.
Re: (Score:2)
Jailbreaking isn't really official, and it is becoming harder and harder for the Dev Teams to find a usable JB. For example, it took about two months for them to make jailbreakme.com when the iPhone 4 came out, then when the Greenpois0n exploit was found, that pretty much allowed any iPhone 4 (not 4s) to be jailbroken either tethered or semi-tethered. The 4s is a different beast altogether, and the gymnastics required to JB that device took a lot of effort.
It would be nice if Apple offered low level acces
Re: (Score:2)
Apple also has banned Pulitzer-prize winning artists from their store as well.
A decision that was reversed on its merits as noted here [nytimes.com]... and now you know the rest of the story.
Re: (Score:2)
Some will say that the Apple App Store is "no longer secure." This is ridiculous.
Um.. allowing people to install malicious software from a source deemed 'trustable' is actually a pretty big security hole. What's more is now you need to ask the question: "How do we know there aren't more and how can we prove it?".
Re:No doubt... (Score:5, Insightful)
Some will say that the Apple App Store is "no longer secure." This is ridiculous.
Right, it would be more accurate to say that it never really was "secure", it was just heavily audited. It shouldn't be a surprise to anyone that malicious apps will manage to sneak through the audits from time to time.
Re:No doubt... (Score:5, Insightful)
Some people tend to have an all-or-nothing nature, especially when it concerns something they go partisan over - like Apple.
I've easily had dozens of arguments over the years where I argued Apple was the more secure solution for the average user, people responded with pwn to own or some such, and if I argued further, they just labeled me as a "fanboi" as if that ended the argument even if I argued the Unix underpinnings. Nevermind that I use W7 and Ubuntu myself, or that it's my own personal experience having to play tech support to an entire tech-challenged family that's both hardworking and lucky enough to afford to have a choice. Sure, I could put them on OpenBSD or HardenedLinux, but the first obstacle they run into, they say "Why can't I do yadayadayada" they'll go and find a way to install Windows on it, which is perfectly fine by itself, and start downloading mouse icons that look like toy trojan horses and what not.
The mindset of Y turns out to not be perfect, so it's on the same level of X, must originate from politics because the whole feel of the debate seems political. It's a retarded mentality to have, akin to cheering for wrestlers and their bogus storylines. It's sad that it has crept into tech so pervasively and that's what the whole last decade felt like on any issue - stupid partisan cheerleading for one side or the other, or booing against one side or another.
The truth of a walled garden is that it's the most practical solution for most consumers, who really don't or can't police what they're doing. I wouldn't want to live in one exclusively, nor would most geeks, but that's why they're geeks, they go above and beyond the artificial constraints and don't need the protection.
Re:No doubt... (Score:5, Insightful)
it's not nearly the first ios app that sends contact infos off the phone for no particularly good reason.
Re:No doubt... (Score:5, Insightful)
it's not nearly the first ios app that sends contact infos off the phone for no particularly good reason.
Very true...but despite my best efforts to raise awareness, Facebook has yet to be classified as a very large botnet :)
Re:No doubt... (Score:5, Interesting)
It took 5 years for the first malware to show up.
Wrong! It took 5 years for the first malware to be identified and publicly acknowledged.
How many more exist secretly, awaiting a clever analyst?
Re: (Score:2)
Re: (Score:3)
Some will say that the Apple App Store is "no longer secure."
Who cares about the Apple App Store no longer being secure if the iPhone itself lost that claim long ago? You iPhone users are just playing with semantics here. If your iPhone can be compromised by just being directed at a web site (as it did a while ago), it really doesn't matter much if the App Store is secure or not.
Besides, I'm not even sure if the latter claim of the Apple App Store being secure is that true to begin with. Many iTunes users, including some app developers, have had their iTunes account
Re: (Score:2)
...Good security fails gracefully and a good defense in depth allows for easy recovery, and it looks to me like Apple meets those criteria.
Unless one finds that something like this could have been perhaps easily avoided by simply hooking up a network analyzer when scrutinizing this app prior to it being made public...
Good policies and procedures after the fact are critical, but it should not excuse or replace basic competence or common sense security practice at step 1.
App is/was also available for Android (Score:5, Informative)
So they targeted both groups.
Re: (Score:2)
This is true, but the summary is somewhat slanted to take an unnecessary pot shot at Android's security, perhaps to "lessen the blow"? Who knows.
The article I read elsewhere was much more informative without the grandstanding.
Not surprising... (Score:5, Informative)
One of my beefs about iOS is that even though it will ask the user if an app attempts to use the GPS or notification, there are plenty of juicy things that can be obtained and copied elsewhere. Photos are protected against being deleted, but they can be slurped up and copied off without the user knowing. Same with contacts and music.
I'm surprised this was caught. If a person jailbreaks their device and runs PMP (Protect My Privacy) and Firewall IP, they will see a lot of apps digging in places where they shouldn't be, and sending lots of data to sites that have zero relevance to the task at hand. One major news app connects to so many sites without DNS (just via IP addresses) that I ended up just blacklisting all but the few sites it gets news info.
I would say where the rubber meets the road, iOS has been more secure, because Apple guards the gateway and does it well. However, if anything malicious does make it past, it can have a field day.
Re:Not surprising... (Score:5, Insightful)
Yeah, this is fixed in iOS 6. Separate prompts for Location, Contacts, Calendars, Reminders, Photos, and after the fact you can see who requested it, who currently has access, and toggle them.
My only complaint is that the App Store doesn't give you this information before you download the app. Developers should have to declare that they want to access any of these things (and show ads, and have in-app purchases), and the App Store listing should contain the information about what the app is going to want to do before you buy it.
Re: (Score:2)
My only complaint is that the App Store doesn't give you this information before you download the app.
android has done with since it's inception, both for app store installed and side-loaded apps.
Re: (Score:2, Funny)
You're holding it wrong.
Re: (Score:2)
No, Apple's problem is he's holding the wrong one.
Re: (Score:2)
> fixed in iOS 6. Separate prompts for Location, Contacts, Calendars, Reminders, ...
I know this is flamebait - but hear me out.
There are many Apple fanbois out there effectively saying that Apple is justified in patenting the bleedingly obvious in its attempt to stifle competition and hurt society in general.
Should Google sue Apple's ass off for copying the prompting for confirmation of other information like Android has done for some time now?
I realize that Google is very unlikely to take Apple to court over something so bleedingly obvious - only an asshat of a company would do that...
So what do the Apple fanbois think? You're blind zealots and believe in suing for the most trivial of things... Should Google kick Apple to the curb for copying such a basic feature "on a smart phone" (ie. ignoring precedence in other environments)? Particiuarly given that it hurts the community at large, do you endorse such behaviour when Apple is not at the helm of the law suit?
You start with a false premise; that Apple fans believe that Apple is justified suing over trivial things. I for one think that suing over trivial things is nonsense. I believe Apple had a design patent case against Samsung, but that it was blown out of all proportion. I also think the lawsuits over the screen unlock and other such basic things are frivolous and annoying.
So, if Google were to sue for this I'd take the exact same position as I take for Apple suing over sliding to unlock: it's stupid.
Re: (Score:2)
I would say where the rubber meets the road, iOS has been more secure, because Apple guards the gateway and does it well. However, if anything malicious does make it past, it can have a field day.
...for a limited time. Apple pulled the app from the store almost an hour before this hit Slashdot.
As for this being caught... that doesn't take much: all it takes is the first few people complaining about you spamming them via SMS, and the gig is up.
Just maybe... (Score:1, Funny)
Details missing? (Score:3)
Re: (Score:2)
Re: (Score:2)
How is PayPal even slightly relevant? The only PayPal account that would be involved would be Apple's (and I don't see PayPal cutting Apple off) and Apple pays out developers by direct wire transfer into their bank account.
Inspected by ?? (Score:2)
Re: (Score:2)
You'd likely get that past the inspections, but once discovered it would be quickly removed.
From what I hear, the reviewers do a combination of testing the application (and for anything that has an online/account component, they request a fully functional unrestricted account to test with) and analyzing the application with tools that look for usage of private/restricted frameworks. I'm sure there is more to it, but they're definitely not going line-by-line through the code. When you submit an app to the ap
Re: (Score:2)
The app itself doesn't really do anything malicious -- it snarfs down your address book and grabs your SMS ID -- which are things done by countless other apps. The malicious bit is all done server-side, where the "company" sends promotional SMSes out to everyone in your address book, spoofing your SMS ID. ...and the App was removed within an hour of Apple being made aware of the situation.
Re: (Score:2)
I thought apps needed permission to see contacts (Score:3)
I thought Apple had, in a fairly recent iOS update, made it so that an app couldn't just silently query a person's contact data... that the application would need to declare to the OS that it was going to do this, the OS would then check with the user to see if it was okay. If the user hadn't given permission, I thought trying to access the contact data from an app would be futile.
Again, this was just my understanding here... so either this is only an issue with older iOS versions, or else my understanding is completely borked, and I have no idea what I'm talking about.
Re: (Score:2)
They are doing it in iOS 6, which hasn't been released yet. It is in Beta and should be released in the next couple of months.
Why doesn't this count?! (Score:4, Funny)
Re:Why doesn't this count?! (Score:4, Informative)
http://www.theregister.co.uk/2011/11/08/apple_excommunicates_charlie_miller/ [theregister.co.uk]
Here is a link to back up your post.
Re: (Score:2)
Apple approval process (Score:1)
This is just proof that Apple's rigorous app approval process consists solely of a dartboard.
Re: (Score:3)
865,000 apps approved for the App Store, and yes, one got through. And you think it's nothing more than Apple randomly selecting apps to let in.
Re:Apple approval process (Score:4, Insightful)
It would be more accurate to say one got caught. There could be others running wild that have slipped the net.
Re: (Score:2)
Serious question: How do they get caught on Android?
Re: (Score:2)
865,000 apps approved for the App Store, and yes, one got through
that you know of
From you? (Score:3)
Re: (Score:2)
Odd, considering there are APIs to get the phone n
Gone already (Score:2)
Stopping malware (Score:4, Interesting)
Re: (Score:2)
Apple can easily decompile the binaries. That's how they know if you're using private APIs.
Copying google again? (Score:2)
Meh (Score:3, Insightful)
It can't be the only malware (Score:2)
iSnitch (Score:2)
Re: (Score:2)
Is there no "Little Snitch" app out there?
No, but there's no reason you couldn't use your Mac running Little Snitch as a reverse firewall gateway for all your wifi connected iOS devices... connect your Airport to your Mac via ethernet, turn on Internet Sharing and share your Mac's wifi connection to the ISP wireless router to your Ethernet (and the Airport connected to it), and batten down Little Snitches hatches... and turn on the Application firewall, and enable ipfw for good measure... making sure to never say always when the dialogues start po
android well-known for malware? (Score:5, Insightful)
While Android is well known for malware,
in theory, and not in practice that is. the *only* thing that makes android more vulnerable is apple's more severe vetting for apps in their store, and the fact that android apps can be "side loaded", or installed from arbitrary sources (other than the google play store). side loaded is disabled by default and must be explicitly enabled by the user after subjecting them to a scary warning dialog.
android security model of fine-grained permissions that are presented to the user before the app is even installed is superior to iOS. what android doesn't do is protect users from their own stupidity. read the permissions. if you choose to go ahead and install that flashlight app that requests permission to the internet and to read your contacts, you'll get what you deserve.
Re: (Score:2)
The fine-grained permissions are informative but nothing more. You either accept them or not install the app. There's no actual control for the user. I really, really hate that.
first, it's better to know before hand so you can avoid the malware getting on your device. one it is installed, who knows that it has done.
second, it would not be practical for an app to be written to gracefully handle the user accepting or denying all possible combinations of permissions. well, maybe that's too strong. at the very least, it'd be a pain in the arse. if you were a developer you'd thank your lucky stars that it works like this.
Re: (Score:2)
it would not be practical for an app to be written to gracefully handle the user accepting or denying all possible combinations of permissions. well, maybe that's too strong. at the very least, it'd be a pain in the arse. if you were a developer you'd thank your lucky stars that it works like this.
I think it would lead to better apps.
Re: (Score:2)
There are apps that would do that for you (I use LBE). I agree though, this should available by default.
This isn't malware (Score:4, Insightful)
The application is working as advertised, uploading data as allowed by the user.
The problem is that the company is not trustworthy for what it does with that data. This can be any company: Do you trust Google, Yelp or Facebook with your data? This is the decision you have to make with any app on any platform. Pretty much the only way around this would be for Apple to require privacy and data use policies with minimum protections for all developers, and then require them to be bonded against a misuse contrary to that policy.
A question (Score:3)
How much does it cost? I'll buy anything for $.99
So whats the difference (Score:3)
So facebook is malware now ?
CarrierIQ isn't first. It was pre-installed. (Score:2)
Pride and Falling (Score:2)
The Applerati have long held an attitude of disdain for other platforms, while clinging to an illusion of invincibility inculcated by Apple marketing. It has always been a sham; researchers have repeatedly shown how Apple has introduced numerous vulnerabilities into OS X not present in its BSD antecedents.
Unfortunately, some Linux aficionados have been bitten by a similar bug. Nothing conceived by the human imagination is impervious to attack. Geek, secure thyself.
I think I have this... (Score:2)
The app steals your contact data and uploads it to a remote server before sending spam SMS messages to all your contacts, but the messages look like they are coming from you.
I think my iPhone has had this virus for a while. It also randomly changes all your contact's email addresses and is particularly nasty. It's called "Facebook"
Re: (Score:3)
Damn, I knew it was a useless locked-in piece of shit, but I didn't know it was malware! And just today I told a coworker that it was fine to use (apart from the lockin and relative uselessness) on Blackberry.
Re: (Score:2)
since when does it spam your contacts?