Menu
Apple wages battle to keep App Store malware-free

Apple wages battle to keep App Store malware-free

Thousands of apps have been found in recent weeks with potentially malicious components

Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace.

Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices.

While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so. 

Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free. Apple officials didn't have an immediate comment.

"The common theme we are seeing is this new wave of attacks against iPhones and against iOS," said Peter Gilbert, a mobile software engineer with FireEye, in an interview.

That's worrying for enterprises tasked with keeping corporate data and passwords entered on employees' mobile devices out of the hands of hackers.

Apple reviews apps submitted by developers for its store. That process has somewhat rankled developers, who have complained the process is too slow.

The upside is that the App Store has not had the same problems with malware as Google in its Play Store for Android devices.

But hackers are now "really looking for ways to get vast numbers of apps in the App Store in these legitimate channels and getting past whatever the barriers that are put up there," he said.

Those efforts appear to largely centered in one place: China.

On Wednesday, FireEye said it discovered 2,800 apps in the U.S. and Chinese versions of the App Store that contained a potentially malicious code library used to deliver advertisements.

The ad library, mobiSage SDK, was developed by a Chinese company called adSage. The library had been incorporated into the apps by developers, who may have been unaware it had data-stealing capabilities. FireEye nicknamed the scheme iBackDoor.

Gilbert said the ad library was capable of loading JavaScript from a remote server. It would then be possible to take screenshots, capture audio or monitor a device's location. 

AdSage, based in Beijing, couldn't be immediately reached for comment. It has since released an updated version of the mobiSage SDK, which does not have the backdoor capability. 

Gilbert said it's possible that someone took AdSage's product, added the malicious capabilities and then made it available for developers.

The latest finding adds to other recent issues in the App Store. 

In mid-September, Palo Alto Networks found 39 apps that contained a modified version of Apple's Xcode development tool. That version, which was dubbed XcodeGhost, could add hidden malicious code to apps it is running on.

A few days later, the mobile security company Appthority found 476 apps infected with XcodeGhost. Then FireEye said the problem was much worse: it uncovered 4,000 apps containing XcodeGhost.

The larger question is how the apps were able to bypass Apple's review.

David Richardson, an iOS expert with Lookout Mobile Security, said it's often hard to figure out at first glance the intent of an app.

Many of the capabilities built into XcodeGhost and the mobiSage SDK were not dissimilar to technologies used by ad networks or analytics platforms that Apple allows, he said.

But it was clear that the counterfeit version of Xcode didn't come from Apple, which was a big tipoff to malicious intent, Richardson said.

The mobiSage SDK case is more fuzzy: the ad library doesn't do anything outright malicious, which is possibly why Apple gave it a pass to the store, Richardson said. 

Still, FireEye labeled the apps using it as "high risk" in its blog post.

Claud Xiao, a security researcher with Palo Alto Networks, said how Apple reviews apps for security is largely a mystery.  

"Nobody knows how they do it," said Xiao, who did extensive research into XcodeGhost.

There are a couple of methods for reviewing code. Static analysis looks at individual lines of code, while dynamic analysis watches how an application behaves.

But malware writers have long used advanced techniques to obscure what they're doing in order to evade security scans and code reviews, Xiao said.

A cursory review of an app may not be able to detect if one was developed using the counterfeit version of Xcode or the legitimate version, he said.

The XcodeGhost and the mobiSage SDK problems show that Apple's code reviews are "not as perfect as we thought before," Xiao said.  

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments