Apple wages battle to keep App Store malware-free

Thousands of apps have been found in recent weeks with potentially malicious components

Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace.

Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices.

While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so. 

Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free. Apple officials didn't have an immediate comment.

"The common theme we are seeing is this new wave of attacks against iPhones and against iOS," said Peter Gilbert, a mobile software engineer with FireEye, in an interview.

That's worrying for enterprises tasked with keeping corporate data and passwords entered on employees' mobile devices out of the hands of hackers.

Apple reviews apps submitted by developers for its store. That process has somewhat rankled developers, who have complained the process is too slow.

The upside is that the App Store has not had the same problems with malware as Google in its Play Store for Android devices.

But hackers are now "really looking for ways to get vast numbers of apps in the App Store in these legitimate channels and getting past whatever the barriers that are put up there," he said.

Those efforts appear to largely centered in one place: China.

On Wednesday, FireEye said it discovered 2,800 apps in the U.S. and Chinese versions of the App Store that contained a potentially malicious code library used to deliver advertisements.

The ad library, mobiSage SDK, was developed by a Chinese company called adSage. The library had been incorporated into the apps by developers, who may have been unaware it had data-stealing capabilities. FireEye nicknamed the scheme iBackDoor.

Gilbert said the ad library was capable of loading JavaScript from a remote server. It would then be possible to take screenshots, capture audio or monitor a device's location. 

AdSage, based in Beijing, couldn't be immediately reached for comment. It has since released an updated version of the mobiSage SDK, which does not have the backdoor capability. 

Gilbert said it's possible that someone took AdSage's product, added the malicious capabilities and then made it available for developers.

The latest finding adds to other recent issues in the App Store. 

In mid-September, Palo Alto Networks found 39 apps that contained a modified version of Apple's Xcode development tool. That version, which was dubbed XcodeGhost, could add hidden malicious code to apps it is running on.

A few days later, the mobile security company Appthority found 476 apps infected with XcodeGhost. Then FireEye said the problem was much worse: it uncovered 4,000 apps containing XcodeGhost.

The larger question is how the apps were able to bypass Apple's review.

David Richardson, an iOS expert with Lookout Mobile Security, said it's often hard to figure out at first glance the intent of an app.

Many of the capabilities built into XcodeGhost and the mobiSage SDK were not dissimilar to technologies used by ad networks or analytics platforms that Apple allows, he said.

But it was clear that the counterfeit version of Xcode didn't come from Apple, which was a big tipoff to malicious intent, Richardson said.

The mobiSage SDK case is more fuzzy: the ad library doesn't do anything outright malicious, which is possibly why Apple gave it a pass to the store, Richardson said. 

Still, FireEye labeled the apps using it as "high risk" in its blog post.

Claud Xiao, a security researcher with Palo Alto Networks, said how Apple reviews apps for security is largely a mystery.  

"Nobody knows how they do it," said Xiao, who did extensive research into XcodeGhost.

There are a couple of methods for reviewing code. Static analysis looks at individual lines of code, while dynamic analysis watches how an application behaves.

But malware writers have long used advanced techniques to obscure what they're doing in order to evade security scans and code reviews, Xiao said.

A cursory review of an app may not be able to detect if one was developed using the counterfeit version of Xcode or the legitimate version, he said.

The XcodeGhost and the mobiSage SDK problems show that Apple's code reviews are "not as perfect as we thought before," Xiao said.  

Join the CSO newsletter!

Error: Please check your email address.

More about AppleFireEyeGooglePalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place