The malicious apps were programmed to perform background activities on iPhones in order to collect ad-generated profits
Security researchers from Wandera uncovered a set of applications that were performing malicious activities on the infected users' iPhones. Apps were placed to the official Apple's marketplace, as the developers managed to bypass built-in protection measures by utilizing post-infection Command & Control server communications in order to commit ad fraud.
The trojanized apps were planted into the official store by an Indian developer AppAspect Technologies Pvt. Ltd., which released a total of 51 apps for Apple products and 28 Android-based devices. The infected applications were coming from various categories, including productivity, travel, religion, fitness, and others. Upon discovery, all 17 affected apps were removed from the App Store, and Apple confirmed that it improved its security measures to detect similar application behavior in the future.
Wandera threat research team categorized the infected apps as Trojans due to clicked Trojan module:
The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.
While malware that commits ad fraud is not as dangerous as other types of malware, continual communication with a remote server and induced clicks can drain the device's battery fast, as well as disrupt the normal operation of the browser.
Not the first time the malicious Command & Control server was used
While all the infected apps were developed by the same developer, some of them were directed to users in various countries, considering some of the apps were dedicated to religious groups – Ramadan Times 2019 or Islamic World – Qibla. Nevertheless, it seems like other applications were directed to various groups of people:
- EMI Calculator & Loan Planner
- FM Radio – Internet Radio
- Easy Contacts Backup Manager
- Smart Video Compressor
- Smart GPS Speedometer
- CrickOne – Live Cricket Scores, etc.
Wandera researchers noted that My Train Info app did not appear under the developer profile, despite being distributed on the official App Store. Even though all the apps seem to be aimed at different people, they were all communicating with the same Command & Control server, which was previously analyzed by Dr.Web and used in other malicious campaigns that affected more than 101.7 million Android users.
According to Dr. Web, a remote server was used to initiate targeted advertisements on the infected device and load websites in the background. In some cases, the malware was even able to subscribe victims to bogus services that would trigger monthly credit card payments. Additionally, the malware was also being used for excessive tracking of Android phone owners, including manufacturer, model, OS type of the device, along with User-Agent ID, mobile carrier, geolocation, and other data.
How clever use of Command & Control server allowed app developers to bypass Apple's security measures
Wandera research showed that it was the use of Command & Control servers that allowed malicious apps to bypass Apple's built-in security measures that would otherwise block the threat:
C&C channels can be used to distribute ads (like the ones used by the iOS Clicker Trojan), commands, and even payloads (such as a corrupt image file, a document or more). Simply put, C&C infrastructure is a ‘backdoor’ into the app which can lead to exploitation if and when a vulnerability is discovered or when the attacker chooses to activate additional code that may be hidden in the original app.
As it turned out, AppAspect Technologies is also releasing applications for Android users, with currently 28 apps active on Google Play Store. However, after running tests on these applications, it turned out that they were not communicating with the malicious C&C server. Nevertheless, after researchers dug deeper, they found out that the Indian app maker has previously placed malicious apps in the Play Store, where they were terminated. Later, the apps were reinstated without including malicious functionality.
While it is unclear whether the developer intentionally planted the malicious code into the apps in questions, as a general precautionary measure, we highly advise users staying away from AppAspect Technologies-developed applications. Additionally, users should always treat applications that ask for inadequately high permissions on the device with suspicion and have robust security software installed.
Researchers said that this detection only proves that iOS is being targeted by malicious apps more frequently, and Apple's seemingly malware-proof remedies do not always work. Nevertheless, Google Play Store remains the main target of cybercriminals, as Google removes several apps regularly based on their malicious activities on Android devices.