Apple pulls Russian malware from iOS App Store
Hours after it was highlighted by a security firm, Russian-language malware on the iOS App Store was removed by Apple and is no longer available for download.
Apple confirmed on Thursday to Jim Dalrymple of The Loop that it removed the malware, an application named "Find and Call," once it was alerted to its presence on the App Store. The company said the software was pulled for violating App Store guidelines by accessing a user's Address Book data without authorization.
The application was revealed by Kaspersky earlier on Thursday to be a Trojan that would upload a user's phone book to a remote server. From there, the server sends out text message spam to all the contacts in the user's address book with a link to download the application.
In addition to being found in Apple's iOS App Store, the "Find and Call" software was also found on the Google Play storefront for Android handsets. Google has presumably also responded by pulling the application, as it can no longer be downloaded from Google Play.
Malware is an extremely rare occurrence on Apple's iOS platform, as the company has a review process that analyzes each individual application made available for download on the App Store. The company first began publishing its guidelines for review in September of 2010.
However, malware has routinely been found on Google's more open Android platform. Last year one security firm claimed that Android malware had increased by 472 percent in just one four-month span.
The malware issue on Android has been attributed to the lack of a review process such as Apple's, as well as the ease for a developer to make an anonymous account and pay the low $25 fee required to begin posting software to Google Play.
This May, Apple quietly made public a report detailing the extensive efforts it has undertaken to secure its mobile operating system. The paper boasts that Apple "designed the iOS platform with security at its core."
Apple confirmed on Thursday to Jim Dalrymple of The Loop that it removed the malware, an application named "Find and Call," once it was alerted to its presence on the App Store. The company said the software was pulled for violating App Store guidelines by accessing a user's Address Book data without authorization.
The application was revealed by Kaspersky earlier on Thursday to be a Trojan that would upload a user's phone book to a remote server. From there, the server sends out text message spam to all the contacts in the user's address book with a link to download the application.
In addition to being found in Apple's iOS App Store, the "Find and Call" software was also found on the Google Play storefront for Android handsets. Google has presumably also responded by pulling the application, as it can no longer be downloaded from Google Play.
Malware is an extremely rare occurrence on Apple's iOS platform, as the company has a review process that analyzes each individual application made available for download on the App Store. The company first began publishing its guidelines for review in September of 2010.
However, malware has routinely been found on Google's more open Android platform. Last year one security firm claimed that Android malware had increased by 472 percent in just one four-month span.
The malware issue on Android has been attributed to the lack of a review process such as Apple's, as well as the ease for a developer to make an anonymous account and pay the low $25 fee required to begin posting software to Google Play.
This May, Apple quietly made public a report detailing the extensive efforts it has undertaken to secure its mobile operating system. The paper boasts that Apple "designed the iOS platform with security at its core."
Comments
Hopefully this will lead to an even more stringent App Store review process. I thought the review process was designed expressly to prevent these type of things, as well as buggy apps. I'm sure no system is perfect, but at least on the malware front it's been pretty good up until this.
Or it just happened to be that mistake which slipped through. No matter how stringent the system, with an operation this big, there are always going to be mistakes. And with one slip-up of this kind I'm inclined to think along those lines. That said, it's even possible that this app functioned within review parameters and the developer chose to do something else after approval (depends on what Apple currently allows in relation to user contact data). If that's the case, it's possible the system needs to be tightened up. Changes to accessing contacts in iOS 6 might help a bit here.
I'm curious to know how this one slipped through. I wonder if a reviewer was just asleep at the wheel.
Well, it isn't as though uploading your contacts isn't allowed by Apple. Apple simply doesn't allow exploitation of your contact information for the purpose of spamming SMS messages. The claims made by the developer may have matched the apparent functionality of the app when tested.
This is why the Privacy Settings in iOS 6 are so vital.
I wonder if Apple also revoked the source's developer key, or at least the app's certificate, preventing people who already downloaded it from further damage.
Quote:
Originally Posted by BigBillyGoatGruff
I'm curious to know how this one slipped through. I wonder if a reviewer was just asleep at the wheel.
It could be that the feature is enabled remotely. The developer could have enabled it (server side) after the app was approved. This will all go away with iOS 6 where the app needs your permission to access your calendar and contacts.
Quote:
Originally Posted by BigBillyGoatGruff
I'm curious to know how this one slipped through. I wonder if a reviewer was just asleep at the wheel.
That's what I was going to ask? Seems Apple is slipping a bit here and cannot be completely trusted or they need to update their rules to catch this type of malware and any like it in the future.
Interesting that this was 'discovered' by Kaspersky - leading to months more of them crying they can't put anti-virus software on the iPhone.
Quote:
Originally Posted by Pendergast
This of course highlights the key difference between iOS and full desktop OS's (OS X included): the only way to exploit the device is through a controlled storefront,
Where did you get that idea?
Quote:
Originally Posted by NasserAE
It could be that the feature is enabled remotely. The developer could have enabled it (server side) after the app was approved. This will all go away with iOS 6 where the app needs your permission to access your calendar and contacts.
I agree this was probably server side and totally outside of Apple's control. However, I disagree that this sort of thing would go away with the new privacy settings in IOS6. If I install an app that is supposed to access my contacts, I'm going to say yes when it asks for authorization. There are probably tons of legitimate apps that do that now. If they then do something with it server side, how am I to know. Hell, if they store it server side as part of their normal operation and then get hacked, you're just as screwed.
Point is: don't let yourself be lulled into a false sense of security. Everything Apple is doing is going a long way to make it secure, but no system is perfect and downloading an app in IOS should be treated the same as downloading an app on Android, Windows, OSX, etc. (i.e think before you act).
"The more you know..."
Quote:
Originally Posted by MacTel
That's what I was going to ask? Seems Apple is slipping a bit here and cannot be completely trusted or they need to update their rules to catch this type of malware and any like it in the future.
600,000 apps. One bad one slipped through. Not a bad track record on Apple's part.
That said, Apple needs to flag any app that uses the Address Book APIs, and give it especially close review (if they aren't doing this already).
Apple needs to 'keep an eye' on suspicious apps (i.e., send user data to server) for an undisclosed period even after they are approved (like an app 'probation').
this way, the bad guys will know they can't be at ease even after approval.
Quote:
Originally Posted by BigBillyGoatGruff
I'm curious to know how this one slipped through. I wonder if a reviewer was just asleep at the wheel.
From what I understand it's hard for the reviewers to fall asleep since so many apps have to be scanned to prevent any phallic-like images from creeping through the process. However, Apple has notoriously understaffed the review department. Perhaps THIS may have helped get their attention to prevent a reoccurrence.
Quote:
Originally Posted by BigBillyGoatGruff
I'm curious to know how this one slipped through. I wonder if a reviewer was just asleep at the wheel.
They may need to hire some more Russian speaking reviewers.
Quote:
Originally Posted by ranReloaded
Apple needs to 'keep an eye' on suspicious apps (i.e., send user data to server) for an undisclosed period even after they are approved (like an app 'probation').
this way, the bad guys will know they can't be at ease even after approval.
This is a well known tactic. The programmers put an if clause with a date criteria. The hidden functionality only reveals itself after the approval process is expected to be completed. Apple doesn't look at the source code directly. They can only test so much. Mostly they are looking for obvious infractions and testing against some private APIs but other than that they have to rely on end users to spot problems that may crop up after the apps gets wide spread usage.
Quote:
Originally Posted by MarquisMark
I agree this was probably server side and totally outside of Apple's control. However, I disagree that this sort of thing would go away with the new privacy settings in IOS6. If I install an app that is supposed to access my contacts, I'm going to say yes when it asks for authorization. There are probably tons of legitimate apps that do that now. If they then do something with it server side, how am I to know. Hell, if they store it server side as part of their normal operation and then get hacked, you're just as screwed.
Point is: don't let yourself be lulled into a false sense of security. Everything Apple is doing is going a long way to make it secure, but no system is perfect and downloading an app in IOS should be treated the same as downloading an app on Android, Windows, OSX, etc. (i.e think before you act).
"The more you know..."
Whatever developers do with your personal info is out of your control once you give them access. However, The privacy setting in iOS 6 prevent other apps that are not supposed to access your calendar and contact from doing so. For example, after I installed iOS 6 I discovered that Realtors.com iOS app was accessing my contacts. Why do they need my contacts? I also found a couple of other apps trying to access my contacts and they are not supposed to do that.
The new privacy setting in iOS 6 are not meant to prevent what developers do with your contacts but instead give you control on who should have access to your personal data.
Quote:
Originally Posted by NasserAE
Whatever developers do with your personal info is out of your control once you give them access. However, The privacy setting in iOS 6 prevent other apps that are not supposed to access your calendar and contact from doing so. For example, after I installed iOS 6 I discovered that Realtors.com iOS app was accessing my contacts. Why do they need my contacts? I also found a couple of other apps trying to access my contacts and they are not supposed to do that.
The new privacy setting in iOS 6 are not meant to prevent what developers do with your contacts but instead give you control on who should have access to your personal data.
I was reading over the weekend that Facebook was not only accessing the contacts but actually changing the email address to @facebook.com email addresses for anyone who matched your friends list. Actually overwriting your contact info! Amazing.
http://www.wired.com/gadgetlab/2012/07/facebook-email-woes/