iOS app contains potential malware

An app available for download from Apple's iOS App Store contains an embedded Trojan horse. And while the good news is that you're almost definitely safe from any malware danger, there's still reason for concern. The app itself is almost certainly harmless--and the malicious code is probably present unintentionally--but the fact that the code slipped through the App Store's review process isn't ideal.

The app Simply Find It, a $2 game from Simply Game, seems harmless enough. But if you run Bitdefender Virus Scanner--a free app in the Mac App Store--it will warn you about the presence of a Trojan horse within the app. A reader tipped Macworld off to the presence of the malware, and we confirmed it.

Apple declined to comment on the issue.

Bitdefender warns of the presence of Trojan.JS.iframe.BKD in the game. (Two other free Mac antivirus apps, iAntivirus and ClamXav, both failed to notice anything amiss with the app.) It's not too much effort to figure out what Bitdefender is detecting in the app, either.

As you may know, iOS apps are distributed as IPA files, which you can unzip using unarchiving apps on your Mac. When you unarchive Simply Find It, you can explore the app's package contents. I used Terminal to search the app for "iframe," and found a match in a single file: Payload/

That's a fully functional audio file used in the game. You can play it on your Mac, and it sounds fine. But when I opened the MP3 in BBEdit, I found this snippet just at the end of the file: iframe src=""

That's an iframe, HTML code that embeds a remote webpage. In this case, the server that iframe points't actually responding at this writing. In theory, though, malware could use a secretly-embedded iframe to load up a maliciously-crafted webpage you didn't intend to visit, and attempt to do various unpleasant things.

Simply Game didn't respond to Macworld's request for comment, though it seems that iframe is embedded in that MP3 file unintentionally. The company sells numerous apps, and sells Simply Find It in the Mac App Store as well, where it is uninfected.

Security expert (and occasional Macworld contributor) Rich Mogull says that the app is almost certainly harmless. "If Apple tested the app by running it in a sandbox and watching the app's activities, that would be more effective than scanning MP3s for malware strings," since testing the app by running it shows what actually happens in real-world use. It's unclear how Apple tests apps, though, since that part of the process is opaque. "Thus," says Mogull, "we don't know for sure if [any Apple malware-scanning] process worked or not. A malware link that never runs isn't a threat, and there are very legitimate ways of testing that won't find something like this if it isn't a valid exploit."

All that said, though, "Without any transparency [from Apple on the approval process], we don't know," Mogull added.

A developer could technically embed a mechanism within an app to open a compromised file--like day.mp3--and do something untoward with it. If Apple does run each app and test it for such activity, it's well-equipped to detect such behavior. But if Apple is merely scanning files it considers risky, the company may need to check more files for rogue code.

Again, though, that's not what's happening with Simply Find It. It's a game that appears to have unintentionally embedded a corrupted MP3. Since the app doesn't attempt to abuse that MP3, and since the URL embedded in the MP3 isn't currently active, then our sources are right: There's no current threat to users from this particular app.

Still, with Apple's lack of transparency regarding how it validates the safety of files added to the App Store, there's at least minor cause for concern. The App Store still feels miles safer than the unmoderated waters of some competing platforms, but the presence of the troublesome code in Simply Find It should, perhaps, give you pause.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleappssecurityapp storesecurity softwareSimply Gamemalwareantivirus

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lex Friedman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts