Despite some recent pronounced lapses, the iPhone remains one of the most secure consumer devices you can buy, thanks in large part to the locked-down ecosystem of the iOS App Store. But things do slip through the cracks—including 18 apps that used evasive maneuvers to sneak past Apple’s defenses.
The malicious apps—17 of which were discovered by mobile security company Wandera, all from the same developer, while Apple spotted another using the same technique—have already been taken down. While they were live, they didn’t steal data or gain control of a victim’s device, behavior that other recent iOS fumbles could have enabled. Instead, the apps, which ranged from a calculator to a yoga pose repository, ran invisible ads in the background of the device, generating phony website clicks to inflate ad revenues.
That sort of adware makes regular appearances on Android, in part because that platform’s third-party app stores are riddled with bad actors. On iOS? Not so much. And while the worst effects you’d feel as a victim in this case would be a quicker battery drain and a higher data bill, this latest wave of iOS malware is most notable not for what it does but for how it got there.
"I think this one changed the game a bit for the types of things Apple needs to look for."
It started small. Wandera's security software flagged some unusual activity on a client’s iPhone: A lone speedometer app had made unexpected contact with a so-called command and control server, which had previously been identified as issuing orders to ad fraud malware in a separate Android campaign. In other words, the app had gone rogue.
Wandera worked backwards from there. It identified the developer of the app, India-based AppAspect Technologies, and installed its dozens of offerings on iPhones for further testing. First, static analysis, poring over the code to look for any embedded shenanigans. Then dynamic analysis, looking for any outbound connections to a far-flung server with bad intentions.
“That’s usually where we see the dodgy activity,” says Michael Covington, Wandera’s vice president of product. “In this case, we weren’t seeing it.”
Nothing. Not a hint of impropriety. But Wandera continued to press. Its standard testing setup relies on several iPhones connected to Wi-Fi; it’s a lot of downloads, after all, so no reason to chew up all that data. But after striking out in the first round of analyses, the researchers decided to see what happened if they added a SIM card to the equation. And then they waited.
A few days later, 17 of the apps started reaching out to the same adware server.
“They had the intelligence to not just wait a few days, but to actually wait for other pieces of context to line up in the way that the developer wanted them to,” Covington says. In this case, the presence of a SIM card indicates that the phone belongs to a real person rather than a security researcher—or one of the many humans that screen apps for App Store approval.
It’s a simple evasion, but clever. More important, in this case it was effective. If you downloaded one of these apps, it would act perfectly normal until it was reasonably confident that you’re a genuine mark. At that point, it would reach out to its boss—the command and control server—which would instruct the app to turn your iPhone into an invisible click farm.
In an email, AppAspect Technologies pleaded ignorance, saying that it only found out about the issue after Apple had removed its apps, and that it’s working its way back to compliance. And in fairness, it’s entirely plausible that they had no idea that its apps were behaving this way. Developers sometimes incorporate code from third-party or unauthorized sources to build out their apps; borrowing from the wrong bin can easily—and accidentally—turn a speedometer app into something malicious. Apple’s been through that on a larger scale than this; in 2015, some developer forums hosted versions of its Xcode software tool with data-stealing code appended to it, resulting in dozens of infected apps sneaking onto devices.
