The iOS App Store is 18 applications lighter today after the software was caught harboring malware that secretly clicked on ads, signed up punters for premium services, or deliberately overloaded websites.
Apple on Thursday pulled the apps, all written by India-based AppAspect, after confirming they were being used for click-fraud, generating cash for miscreants. While these types of programs are not uncommon, and can occasionally slip past the Android and iOS app store filters, there's a bit more to this story than your run-of-the mill scamming operation.
The apps themselves are mostly productivity and news programs, many localized for users and services in India – think train timetables and such stuff. They are full and usable apps in their own right, so there is reason to believe the developer may not have known about the malicious activity lurking in its code.
According to the team at Wandara, which uncovered the malicious software and reported the apps to Apple, the programs connected to a command-and-control server to receive orders to carry out. Wandera counted only 17 apps to Apple's 18, as one application appeared in two regions, and so was double counted by the iGant, though it is essentially the same code.
iFrame clickjacking countermeasures appear in Chrome source code. And it only took *checks calendar* three yearsREAD MORE
The control server would send the apps commands to do things like load advertisements, open website windows in the background, or even change a device's settings to subscribe it to expensive subscription services.
The existence of this machine has been known of for some time: it was associated with a previous takedown of apps from the same developer on Android.
"Additional research found that AppAspect’s Android apps had once been infected in the past and removed from the store. They have since been republished and don’t appear to have the malicious functionality embedded," Wandara said.
"It’s unclear whether the bad code was added intentionally or unintentionally by the developer."
It's possible, then, that the code to connect to the click-fraud server, both on Android and later iOS, was slipped in by a rogue developer or another scumbag without AppAspect's knowledge.
We've contacted AppAspect for its side of the story, and will update should we hear back. ®