A report is being circulated as proof that the App Store has been infected by malware apps that could steal your data one day. Only, AppleInsider has been examining the research for some time, and it is baseless exaggeration, riddled with inaccuracies.
Mobile security company Wandera claims to have discovered 17 apps containing "clicker Trojan malware" on the App Store. But while the firm has uncovered an issue, what they found were apps from one single developer that violated the App Store's rules to include the ability to automatically click on ads — and that's it.
"What concerns me the most about this instance of the clicker trojan being used to infect iOS apps is the backdoor it represents," Michael Covington, VP of Product, Wandera, told AppleInsider. "This direct-to-device channel is being used to deliver ads today, but could easily be used tomorrow to facilitate the delivery of phishing attacks, additional malware or remote control commands."
Wandera does correctly say that apps using this code could artificially boost revenues for a firm by fraudulently adding to their clicks received. But, nothing that the report claims the app could do beyond that at some point in the murky future, can be done on iOS as they claim.
There is no way for the app developers to add additional attack surfaces to the app on the fly. There is also no way to make the functionality contagious, using the command and control server that the company says that it has found. Further, Apple's iOS sandboxing prevents any user data theft without the user actively providing that data to the app.
The security company's conclusion that this represents dangerous malware and a breach in the iOS App Store's security is baseless hyperbole. Based on this and multiple errors in the company's research as sent to AppleInsider, we initially declined to report the story. But, it's making the rounds anyway, and seemingly isn't being checked.
Research, emails, and discovery
The errors were impossible for us to ignore. Wandera originally told us that it had found 18 apps out of 56 that a developer called AppAspect Technologies had on the App Store. That developer only had 50. And of the 18, we pointed out that one was a duplicate.
Wandera's website maintains that the company exists to "protect your organization, your information and, most of all, your people."
"We believe prevention is better than the cure, and this is why we stay ahead of the latest threats: so you don't have to worry about them," it continues.
Despite this, Wandera seemingly did not contact AppAspect Technologies. When we did, that company told us that it did not know about Wandera's claims. So, we contacted Apple.
What Apple said
A spokesperson told us that Apple found no malware, but the company did remove the apps because they contained ad-clicking code that violates App Store guidelines. Apple also told us that it had introduced new measures to spot any similar submissions in future.
Once the apps had been removed, we were contacted by AppAspect Technologies who told us that they were working to fix the problem and get their apps restored to the Store.
Only about one day after Apple had removed the apps did Wandera respond to our asking if they had disclosed their findings to the company.
"Wandera is actively working with Apple to share their findings," the security company insisted, "in the hopes that they initiate a take down of the compromised apps."
Security research is important, but responsibility is too
The fact that apps made it into the App Store while violating Apple's rules isn't trivial. That they could potentially have been used to fraudulently generate ad-traffic revenues is of course serious.
But this is in no way a case of malware infecting the iOS App Store.
If it was, if this were genuinely a case of malware as serious as Wandera would have you believe, there are responsible approaches for disclosure. The responsible thing would have been for the company to contact Apple before announcing its findings as if were a major disclosure of a security issue — as nearly every other security researching firm does.
Doing so in the media with inaccurate hyperbole isn't the way to go about that.
9 Comments
Yes Agreed! Especially that last Line... I've taken issue with a couple of British guys who write Apple tech articles that are so far off base and whacked that I had no choice but to lambaste them with criticism, and providing facts & proof of my rebuttals. One writes for Forbes and I cannot believe they keep him on staff or contract. When you work on a MacBook Pro with 126 Apps like I do all day, every day, it's easy to become Incensed when you read totally inaccurate garbage. One case and point is supposedly how messed up Catalina is.. yet I have 124 out of 126 apps that work just fine with Catalina except for maybe a couple hiccups. The two remaining Apps that had issues were just updated within the past couple days.. so now I have 126 our of 126 Apps that work almost perfectly with Catalina. I called both "writers" BOZOs, a favorite of Steve Jobs for ignorant or inept people who pretend to know but their "works" prove otherwise. ~RpH
What morons are claiming App Store is filled with Malware??? W>>>T>>>F>>>?!>!>
That's like defending New York City and claiming a deserted Island has more criminals.
FUD by people with an ax to grind.
I hate to have to say this, but in this day and age of fake news I wish there were some kind of mechanism in place put people on notice that knowingly spreading news that has zero basis in fact, will result in some kind of penalty, especially financial.