Apple wages battle to keep App Store malware-free

Thousands of apps have been found in recent weeks with potentially malicious components

Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace.

Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices.

While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so. 

Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free. Apple officials didn't have an immediate comment.

"The common theme we are seeing is this new wave of attacks against iPhones and against iOS," said Peter Gilbert, a mobile software engineer with FireEye, in an interview.

That's worrying for enterprises tasked with keeping corporate data and passwords entered on employees' mobile devices out of the hands of hackers.

Apple reviews apps submitted by developers for its store. That process has somewhat rankled developers, who have complained the process is too slow.

The upside is that the App Store has not had the same problems with malware as Google in its Play Store for Android devices.

But hackers are now "really looking for ways to get vast numbers of apps in the App Store in these legitimate channels and getting past whatever the barriers that are put up there," he said.

Those efforts appear to largely centered in one place: China.

On Wednesday, FireEye said it discovered 2,800 apps in the U.S. and Chinese versions of the App Store that contained a potentially malicious code library used to deliver advertisements.

The ad library, mobiSage SDK, was developed by a Chinese company called adSage. The library had been incorporated into the apps by developers, who may have been unaware it had data-stealing capabilities. FireEye nicknamed the scheme iBackDoor.

Gilbert said the ad library was capable of loading JavaScript from a remote server. It would then be possible to take screenshots, capture audio or monitor a device's location. 

AdSage, based in Beijing, couldn't be immediately reached for comment. It has since released an updated version of the mobiSage SDK, which does not have the backdoor capability. 

Gilbert said it's possible that someone took AdSage's product, added the malicious capabilities and then made it available for developers.

The latest finding adds to other recent issues in the App Store. 

In mid-September, Palo Alto Networks found 39 apps that contained a modified version of Apple's Xcode development tool. That version, which was dubbed XcodeGhost, could add hidden malicious code to apps it is running on.

A few days later, the mobile security company Appthority found 476 apps infected with XcodeGhost. Then FireEye said the problem was much worse: it uncovered 4,000 apps containing XcodeGhost.

The larger question is how the apps were able to bypass Apple's review.

David Richardson, an iOS expert with Lookout Mobile Security, said it's often hard to figure out at first glance the intent of an app.

Many of the capabilities built into XcodeGhost and the mobiSage SDK were not dissimilar to technologies used by ad networks or analytics platforms that Apple allows, he said.

But it was clear that the counterfeit version of Xcode didn't come from Apple, which was a big tipoff to malicious intent, Richardson said.

The mobiSage SDK case is more fuzzy: the ad library doesn't do anything outright malicious, which is possibly why Apple gave it a pass to the store, Richardson said. 

Still, FireEye labeled the apps using it as "high risk" in its blog post.

Claud Xiao, a security researcher with Palo Alto Networks, said how Apple reviews apps for security is largely a mystery.  

"Nobody knows how they do it," said Xiao, who did extensive research into XcodeGhost.

There are a couple of methods for reviewing code. Static analysis looks at individual lines of code, while dynamic analysis watches how an application behaves.

But malware writers have long used advanced techniques to obscure what they're doing in order to evade security scans and code reviews, Xiao said.

A cursory review of an app may not be able to detect if one was developed using the counterfeit version of Xcode or the legitimate version, he said.

The XcodeGhost and the mobiSage SDK problems show that Apple's code reviews are "not as perfect as we thought before," Xiao said.  

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?