Editorial: Despite claims to the contrary, the App Store isn't loaded with malware
A report is being circulated as proof that the App Store has been infected by malware apps that could steal your data one day. Only, AppleInsider has been examining the research for some time, and it is baseless exaggeration, riddled with inaccuracies.
Mobile security company Wandera claims to have discovered 17 apps containing "clicker Trojan malware" on the App Store. But while the firm has uncovered an issue, what they found were apps from one single developer that violated the App Store's rules to include the ability to automatically click on ads — and that's it.
"What concerns me the most about this instance of the clicker trojan being used to infect iOS apps is the backdoor it represents," Michael Covington, VP of Product, Wandera, told AppleInsider. "This direct-to-device channel is being used to deliver ads today, but could easily be used tomorrow to facilitate the delivery of phishing attacks, additional malware or remote control commands."
Wandera does correctly say that apps using this code could artificially boost revenues for a firm by fraudulently adding to their clicks received. But, nothing that the report claims the app could do beyond that at some point in the murky future, can be done on iOS as they claim.
There is no way for the app developers to add additional attack surfaces to the app on the fly. There is also no way to make the functionality contagious, using the command and control server that the company says that it has found. Further, Apple's iOS sandboxing prevents any user data theft without the user actively providing that data to the app.
The security company's conclusion that this represents dangerous malware and a breach in the iOS App Store's security is baseless hyperbole. Based on this and multiple errors in the company's research as sent to AppleInsider, we initially declined to report the story. But, it's making the rounds anyway, and seemingly isn't being checked.
Research, emails, and discovery
The errors were impossible for us to ignore. Wandera originally told us that it had found 18 apps out of 56 that a developer called AppAspect Technologies had on the App Store. That developer only had 50. And of the 18, we pointed out that one was a duplicate.
Wandera's website maintains that the company exists to "protect your organization, your information and, most of all, your people."
"We believe prevention is better than the cure, and this is why we stay ahead of the latest threats: so you don't have to worry about them," it continues.
Despite this, Wandera seemingly did not contact AppAspect Technologies. When we did, that company told us that it did not know about Wandera's claims. So, we contacted Apple.
What Apple said
A spokesperson told us that Apple found no malware, but the company did remove the apps because they contained ad-clicking code that violates App Store guidelines. Apple also told us that it had introduced new measures to spot any similar submissions in future.
Once the apps had been removed, we were contacted by AppAspect Technologies who told us that they were working to fix the problem and get their apps restored to the Store.
Only about one day after Apple had removed the apps did Wandera respond to our asking if they had disclosed their findings to the company.
"Wandera is actively working with Apple to share their findings," the security company insisted, "in the hopes that they initiate a take down of the compromised apps."
Security research is important, but responsibility is too
The fact that apps made it into the App Store while violating Apple's rules isn't trivial. That they could potentially have been used to fraudulently generate ad-traffic revenues is of course serious.
But this is in no way a case of malware infecting the iOS App Store.
If it was, if this were genuinely a case of malware as serious as Wandera would have you believe, there are responsible approaches for disclosure. The responsible thing would have been for the company to contact Apple before announcing its findings as if were a major disclosure of a security issue — as nearly every other security researching firm does.
Doing so in the media with inaccurate hyperbole isn't the way to go about that.