Wandera’s threat research team has discovered 17* apps on the Apple App Store that are infected with clicker trojan malware. The apps communicate with a known command and control (C&C) server to simulate user interactions in order to fraudulently collect ad revenue.

The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.

The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.

Because these apps are infected with the clicker trojan module, they fall within the trojan category of Wandera’s malware classification.

Why we classify this as malware

Clicker Trojan is a well-understood class of malware that performs ad-fraud by making frequent connections to ad networks or websites in order to artificially inflate visitor counts or to generate revenue on a pay-per-click basis.

This classification is consistent with that used by others in the security industry, such as Malwarebytes and F-Secure.

About the infected apps

The group of 17 infected apps covers a random set of application categories, including productivity, platform utilities, and travel. The full list of infected apps appears below:



All 17 infected apps are published on the App Stores in various countries by the same developer, India-based AppAspect Technologies Pvt. Ltd.

At the time of research, this developer has 51 apps published on the App Store (note there is one infected app live on the App Store that doesn’t appear under the developer profile – My Train Info).

We tested all of the free iTunes Applications of the developer and the results show that 17 out of the 35 free applications are all infected with the same malicious clicker functionality and are communicating with the same C&C server.

This C&C server was first reported by Dr. Web as part of a very similar clicker trojan campaign on Android.

About the C&C server

According to the Dr. Web research, the C&C server was used to communicate commands to the infected apps which could trigger targeted advertising, as well as the silent loading of websites, and remote reconfigurations on the device. One example involved users who had been fraudulently subscribed to expensive content services following the installation of an infected app.

The apps identified by Wandera communicate with the same C&C server using a strong encryption cipher that the researchers have not yet cracked. According to Dr. Web’s report, Android apps communicating with the same server were gathering private information from the user’s device, such as the make and model of the device, the user’s country of residence and various configuration details.

The potential implications of C&C infrastructure in an app

Command & Control enables bad apps to bypass security checks because it activates a communication channel directly with the attacker that is not within Apple’s view. C&C channels can be used to distribute ads (like the ones used by the iOS Clicker Trojan), commands, and even payloads (such as a corrupt image file, a document or more). Simply put, C&C infrastructure is a ‘backdoor’ into the app which can lead to exploitation if and when a vulnerability is discovered or when the attacker chooses to activate additional code that may be hidden in the original app.

There are plenty of examples of new vulnerabilities being discovered that result in private user data being lost and the sandbox being broken. Apple has even been known to inadvertently reintroduce previously published vulnerabilities into their product.

Examples of relevant iOS vulnerabilities and exploits:

More about the developer

Wandera’s research shows that the iOS developer AppAspect Technologies has leveraged the same C&C server as identified by Dr. Web.

AppAspect Technologies also has a developer profile on the Google Play Store with 28 published apps currently. Wandera tested these AppAspect apps and discovered that the Android apps by this developer were not communicating with the identified C&C server.

However, additional research found that AppAspect’s Android apps had once been infected in the past and removed from the store. They have since been republished and don’t appear to have the malicious functionality embedded. It’s unclear whether the bad code was added intentionally or unintentionally by the developer.

Our responsible disclosure process

Apple’s App Store does not offer a well-defined process for reporting malicious apps. However, prior to releasing this research, we engaged directly with the team at Apple–who we’ve worked with in the past–that handles the company’s product security.

When Wandera’s Threat Research team discovers a vulnerability — regardless of whether it’s found in an operating system, mobile app or website — our priority is to engage the affected vendor (in this case Apple) as quickly as possible to share relevant information and recommendations that will result in neutralizing the threat.

As a company policy, we don’t engage with malware developers. Our focus is on removing active threats from users and helping legitimate developers to correct vulnerabilities in their code.

Apple’s response

Apple has taken down all the compromised apps, except for two that we continue to monitor: ‎My Train Info – IRCTC & PNR and Easy Contacts Backup Manager.

According to this Help Net Security article: ‘An Apple spokesperson told Help Net Security that 18 apps were removed for having code that allows for the artificial click-through of ads (a violation of their guidelines), and that they’ve updated their tools to detect future submissions of these types of apps.’

Recommendations

This discovery is the latest in a series of bad apps being surfaced on an official mobile app store and another proof point that malware does impact the iOS ecosystem. Mobile malware is still one of the less frequently seen threats in the wild, but we are seeing it used more in targeted attack scenarios. Techniques like those used in this example also point to more instances of malware being introduced into official app sources, making it more accessible to everyday consumers and mobile workers alike.

As always, we recommend that mobile-enabled businesses undergo some form of app security vetting to ensure apps, especially free apps, are trustworthy, ie., have good reviews and legitimate developer profiles, and don’t request unnecessary or high-risk app permissions.

Additionally, for both BYOD and corporate-liable devices, Wandera recommends having a mobile security solution installed on mobile devices that can block C&C traffic and any outside connections bad apps try to make to ensure your sensitive data remains protected. This helps to ensure that even if malware is installed on the mobile device, that its functionality is severely limited and organization data is protected.

* Wandera’s initial list of infected apps included two instances of cricket score app ‘CrickOne’ that were hosted on different regional App Stores and contain distinct metadata. After careful review, we confirmed that these apps utilize the same codebase. Therefore, the total number of infected apps was adjusted to 17 to account for this discovery.