Researchers have uncovered 17 apps on Apple’s official App Store infected with malware. Apple has since removed the apps from the App Store – but a “significant” number of iOS users could have installed them, researchers said.
Once downloaded, the malicious apps infect victims with a trojan designed to carry out fraud and ad-related malicious activity in the background, including continually opening web pages and clicking links without any user interaction.
“The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic,” said researchers with Wandera, who discovered the malicious apps, in a Thursday post. “They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.”
The malicious apps range across various categories, from productivity to travel. Below is a full list of the affected apps.
An Apple spokesperson told Threatpost that the apps were removed for having code that allows for the artificial click-through of ads which is a violation of Apple’s guidelines. The spokesperson said that Apple rigorously patrols the App Store to protect its customers and to detect apps that may be trying to scam customers.
Apple doesn’t provide insight into download numbers for apps on the App Store so researchers said they can’t quantify the impact with certainty – but the number of installs of the Android equivalents of the apps on Google Play paint a dire picture, researchers tell Threatpost.
“When you look at the Android counterparts of some of these apps — of which there are currently nine on the Google Play Store — they have over 1.06 million installs combined,” they said. “So it’s safe to say that the number of iOS users impacted could be significant. Further, because the developer seems to have spent more time developing on the Apple App Store (with 51 apps on the App Store vs. 28 on Google Play), we assume their iOS apps reach even more users.”
On the surface, after they’re downloaded, the infected apps provide “legitimate” functionality – and even the ads displayed in each of the apps are from legitimate ad frameworks.
However, once downloaded, the apps retrieve links, one at a time, through the C2 server. These links are opened as fraudulent “clicks” by the victim’s device, so the server can actively control what fraudulent activity was initiated and when.
“The links from the C2 were not the same ones used for in-app advertising; this means that the user saw legitimate ads on the screen while all of the suspicious links were actioned out of view,” researchers told Threatpost.
From there, the attacker is able to generate revenue through cost-per-click traffic, by forcing the device to open web pages and clicking on links in the background.
Wandera researchers observed that the background activity associated with the clicker trojan is resource intensive, so the attacker has configured the process so it doesn’t run continuously, in order to avoid tipping off users. Also, the trojan identified in the apps will first attempt to evade detection by delaying communication with the command-and-control (C2) server.
“We found it initiates contact after several days of lying dormant and only surfaces after cellular connectivity has been established; the Wi-Fi used by a researcher on a test device wasn’t enough to trigger the malicious connections,” researchers told Threatpost.
All 17 infected apps were published on the App Store by the same developer, India-based AppAspect Technologies Pvt. Ltd., said researchers. Interestingly, AppAspect Technologies also has a developer profile on the Google Play Store with 28 published apps currently – however, when researchers tested these apps, they did not communicate with the identified malicious C2 server.
Overall, the developer has published 51 app apps on the App Store, 17 of which were communicating with the same C2 server. That same C2 server was previously identified in a separate August 2019 clicker trojan campaign, where infected Android apps would trigger targeted advertising, silently load websites, and remotely reconfigure the devices.
However, “we are not in a position to say with certainty whether the developer had malicious or fraudulent intent,” Wandera researchers told Threatpost. “If it was unintentional, I would assume a disruption in the supply chain was the likely source of compromise. We saw a similar situation in the past with the XcodeGhost infection that spread through a community of iOS developers who obtained their app compiler from an untrustworthy source.”
Malicious apps continue to plague official app stores both for iOS and Android. Earlier in 2019, Google Play removed least 85 fake apps harboring adware, disguised as game, TV and remote-control simulator apps. Once downloaded, the fake apps hide themselves on the victim’s device and continued to show a full-screen ad every 15 minutes. And last year, Apple removed two apps that were posing as fitness-tracking tools – but were actually using Apple’s Touch ID feature to loot money from unassuming iOS victims.