Security researchers have discovered 17 apps on the Apple App Store that are infected with clicker trojan malware.
According to a blog post by Wandera, the malware is designed to generate revenues for hackers by fraudulently inflating traffic on pay-per-click websites. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.
A C&C server was used to communicate commands to the infected apps, which could trigger targeted advertising, silent loading of websites and remote reconfigurations on the device. According to the research, one example involved users who had been fraudulently subscribed to expensive content services following the installation of an infected app.
The apps listed by the security company include productivity, platform utilities, and travel. All 17 infected apps are published on the App Stores in various countries by the same developer, India-based AppAspect Technologies, says the Wandera blog post.
"The apps identified by Wandera communicate with the same (command and control) server using a strong encryption cipher that the researchers have not yet cracked," Wandera’s report said
"Android apps communicating with the same server were gathering private information from the user’s device, such as the make and model of the device, the user’s country of residence and various configuration details."
The company disclosed its findings to Apple and as a result, it has taken down all the compromised apps, except for two that Wandera continues to monitor: My Train Info – IRCTC & PNR and Easy Contacts Backup Manager. The iOS app was not available when the report was published, while the Android app was there on Google Play.
"However, additional research found that AppAspect’s Android apps had once been infected in the past and removed from the store. They have since been republished and don’t appear to have the malicious functionality embedded. It’s unclear whether the bad code was added intentionally or unintentionally by the developer," said the report.
Sam Bakken, senior product marketing manager at OneSpan, told SC Media UK that there is no telling how secure users' devices are or whether they're infected with malware.
"We can't depend on Google or Apple to ensure the security of the environments within which apps run. Additional action must be taken," he said.
"For example, using mobile in-app protection and app shielding provide an extra layer of protection beyond that provided by the platforms (Android or iOS) or the app stores. App shielding monitors the app, regardless of where it's installed to ensure its execution environment is safe and secure to shut down any malicious behavior before it's too late."
Bakken added that these mobile trojans laid dormant for days on a device so that Apple would not likely detect this malicious behaviour.
"In the case of business-critical and high-value apps, such as mobile financial services, developers need to pay as much attention to the security of their iOS apps as I hope they already do to the security of their Android apps," he added.
Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that the device owner who downloaded the malware is not the real victim here.
"In the case of click and ad fraud malware, the victim is the targeted ad provider. Bad bots, such as this particular malware, result in wrongful advertisement pay-outs and billing, skewed statistics and will eventually lead to a bad reputation and loss of business. The only way for ad providers to protect themselves is to implement bot management solutions to differentiate the good versus bad bots and provide protection against OWASP Top 21 automated threats," he said.