![](\"https:\/\/media.wired.com\/photos\/5db206ae60047600090d3a73\/master\/pass\/Security_ios_1126780859.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Fri, 25 Oct 2019 15:43:54 +0000<\/strong><\/p>\n Sing it loud: The App Store's not perfect. Especially when it's up against click fraud code this clever.<\/p>\n Despite some recent pronounced lapses<\/a>, the iPhone<\/a> remains one of the most secure consumer devices you can buy, thanks in large part to the locked-down ecosystem of the iOS App Store. But things do slip through the cracks\u2014including 18 apps that used evasive maneuvers to sneak past Apple\u2019s defenses.<\/p>\n The malicious apps\u201417 of which were discovered<\/a> by mobile security company Wandera, all from the same developer, while Apple spotted another using the same technique\u2014have already been taken down. While they were live, they didn\u2019t steal data or gain control of a victim\u2019s device, behavior that other recent iOS fumbles could have enabled<\/a>. Instead, the apps, which ranged from a calculator to a yoga pose repository, ran invisible ads in the background of the device, generating phony website clicks to inflate ad revenues.<\/p>\n That sort of adware makes regular appearances on Android, in part because that platform\u2019s third-party app stores<\/a> are riddled with bad actors. On iOS? Not so much. And while the worst effects you\u2019d feel as a victim in this case would be a quicker battery drain and a higher data bill, this latest wave of iOS malware is most notable not for what it does but for how it got there.<\/p>\n "I think this one changed the game a bit for the types of things Apple needs to look for."<\/p>\n Michael Covington, Wandera<\/p>\n It started small. Wandera's security software flagged some unusual activity on a client\u2019s iPhone: A lone speedometer app had made unexpected contact with a so-called command and control server, which had previously been identified<\/a> as issuing orders to ad fraud malware in a separate Android campaign. In other words, the app had gone rogue.<\/p>\n Wandera worked backwards from there. It identified the developer of the app, India-based AppAspect Technologies, and installed its dozens of offerings on iPhones for further testing. First, static analysis, poring over the code to look for any embedded shenanigans. Then dynamic analysis, looking for any outbound connections to a far-flung server with bad intentions.<\/p>\n \u201cThat\u2019s usually where we see the dodgy activity,\u201d says Michael Covington, Wandera\u2019s vice president of product. \u201cIn this case, we weren\u2019t seeing it.\u201d<\/p>\n Nothing. Not a hint of impropriety. But Wandera continued to press. Its standard testing setup relies on several iPhones connected to Wi-Fi; it\u2019s a lot of downloads, after all, so no reason to chew up all that data. But after striking out in the first round of analyses, the researchers decided to see what happened if they added a SIM card to the equation. And then they waited.<\/p>\n A few days later, 17 of the apps started reaching out to the same adware server.<\/p>\n \u201cThey had the intelligence to not just wait a few days, but to actually wait for other pieces of context to line up in the way that the developer wanted them to,\u201d Covington says. In this case, the presence of a SIM card indicates that the phone belongs to a real person rather than a security researcher\u2014or one of the many humans that screen apps for App Store approval.<\/p>\n It\u2019s a simple evasion, but clever. More important, in this case it was effective. If you downloaded one of these apps, it would act perfectly normal until it was reasonably confident that you\u2019re a genuine mark. At that point, it would reach out to its boss\u2014the command and control server\u2014which would instruct the app to turn your iPhone into an invisible click farm.<\/p>\n In an email, AppAspect Technologies pleaded ignorance, saying that it only found out about the issue after Apple had removed its apps, and that it\u2019s working its way back to compliance. And in fairness, it\u2019s entirely plausible that they had no idea that its apps were behaving this way. Developers sometimes incorporate code from third-party or unauthorized sources to build out their apps; borrowing from the wrong bin can easily\u2014and accidentally\u2014turn a speedometer app into something malicious. Apple\u2019s been through that on a larger scale than this; in 2015, some developer forums hosted versions of its Xcode software tool<\/a> with data-stealing code appended to it, resulting in dozens of infected apps sneaking onto devices.<\/p>\n Adware\u2019s a less severe problem, and again, it\u2019s downright endemic to Android. Security firm ESET announced<\/a> just yesterday that it found 42 Google Play Store adware apps, downloaded millions of times. While not unheard of on iOS, it\u2019s much more rare, especially with this level of sophistication.<\/p>\n \u201cThis is an excellent catch,\u201d says Will Strafach, founder of Sudo Security Group and developer of the Guardian Firewall app for iOS<\/a>.<\/p>\n It also illustrates how Apple\u2019s App Store screening process isn\u2019t quite as impregnable as you might assume. Especially when it comes to this specific category of intrusion. \u201cBecause ad fraud does not relate to actually malicious activity for the user, Apple likely does not put a high priority on policing it,\u201d Strafach says.<\/p>\n \u201cThis was outside the parameters that Apple was checking,\u201d says Wandera\u2019s Covington. \u201cI think this one changed the game a bit for the types of things Apple needs to look for.\u201d<\/p>\n For its part, Apple acknowledges that it took down the infringing apps, and that it has updated its screening tools to better detect this kind of verboten activity going forward. But Apple also disputes the "malware" characterization, since ad fraud doesn\u2019t directly disrupt your smartphone experience\u2014or steal data from it\u2014the way that, say, pervasive surveillance by an authoritarian state<\/a> might.<\/p>\n Semantics aside, presumably most iPhone owners would prefer that a phalanx of click fraud apps not<\/em> find its way into the App Store. But the incident is a good reminder that it can and does happen.<\/p>\n \u201cI do realize that this is difficult to police and prevent,\u201d says Thomas Reed, director of Mac and mobile research at cybersecurity firm Malwarebytes. \u201cThe problem isn\u2019t so much that these things have happened, which is inevitable. The problem is that people have an unrealistic level of trust in Apple\u2019s App Store\u2014much as people once believed that \u2018Macs don\u2019t get viruses.\u2019\u201d<\/p>\n