More than a dozen iOS apps infected with clicker Trojan malware and distributed via the Apple App Store were found to perform ad fraud-related tasks in the background, using the command and control servers of a similar Android ad fraud campaign.

The malware module bundled with the 17 iOS apps is designed to communicate with a previously known command and control (C2) server and it simulates ad clicks and opens web pages in the background without the need of user interaction, thus carrying out an ad fraud campaign by abusing all iPhones, iPads, and iPods it compromises.

"The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic," researchers at Wandera Threat Labs explain.

"They can​ also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network."

The infected apps' icons (Wandera)

All these malicious apps are created by India-based AppAspect Technologies Pvt. Ltd., a developer that published a total of 51 apps in the Apple App Store and also has 28 Android apps in Google's Play Store.

As Wandera's research found, the Android apps do not exhibit any malicious behavior related to the C2 servers used by the dev's iOS apps but "AppAspect’s Android apps had once been infected in the past and removed from the store" to be republished at a later date.

At this point, the researchers say that it's not clear if the malicious code was added intentionally by the apps' developer or unintentionally after including a compromised third-party framework.

Designed for ad fraud

The malicious iOS apps were distributed as part of a diverse array of categories including but not limited to productivity, platform utilities, and travel, as a contacts directory, a speedometer, or a BMI calculator.

"We tested all of the free iTunes Applications of the developer and the results show that 17 out of the 35 free applications are all infected with the same malicious clicker functionality and are communicating with the same C&C server," the researchers said.

Wandera's researchers also shared the full list of iOS apps known to be infected with this clicker Trojan module — they have all been removed from the App Store except for My Train Info - IRCTC & PNR:

• RTO Vehicle Information

• EMI Calculator & Loan Planner

• File Manager - Documents

• Smart GPS Speedometer

• CrickOne - Live Cricket Scores

• Daily Fitness - Yoga Poses

• FM Radio PRO - Internet Radio

• My Train Info - IRCTC & PNR​ (not listed under developer profile)

• Around Me Place Finder

• Easy Contacts Backup Manager

• Ramadan Times 2019 Pro

• Restaurant Finder - Find Food

• BMI Calculator PRO - BMR Calc

• Dual Accounts Pro

• Video Editor - Mute Video

• Islamic World PRO - Qibla

• Smart Video Compressor

Connected to an Android ad fraud campaign

The C2 server used by this iOS clicker Trojan module to communicate with its operators was first spotted ​by researchers at Dr. Web​ as part of a very similar Android clicker Trojan campaign.

As they reported at the time, the Android clicker Trojan malware was bundled with over 33 apps distributed through the Google Play Store and was downloaded by users over 100 million times before the apps were removed from the store — unfortunately, Apple's App Store does not provide app install stats so it's impossible to know how many people had their iOS devices used in this ad fraud campaign.

The Trojan dubbed Android.Click.312.origin would activate 8 hours after the apps were launched to evade detection. Another variant named Android.Click.313.origin was later discovered by the Dr. Web researchers while analyzing the malicious campaign.

Once executed on the compromised Android devices, the malware would start collecting system info like the OS version, the device's manufacturer and model, the user's country of residence, the internet connection type, the user's time zone, and info on the app with the clicker Trojan module.

The info was then archived and delivered to the C2 server that replied with info on commands and new modules to be executed and installed.

Doctor Web's research team advises developers to "responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software."

Wandera told Bleeping Computer that the iOS and Android ad fraud campaigns share the same C2 infrastructure and that they are currently investigating additional IOCs that surfaced as a result of this research and will publish a follow-up.

Protecting your mobile device and your data

"This discovery is the latest in a series of bad apps being surfaced on an official mobile app store and another proof point that malware does impact the iOS ecosystem," Wandera's researchers concluded.

"Mobile malware is still one of the less frequently seen threats in the wild, but we are seeing it used more in targeted attack scenarios."

Users are advised to check if the apps they install come from legitimate developers and have good reviews and to always make sure that they do not request more permissions that they would need to function properly.

Wandera also recommends installing a mobile security solution that would block malicious apps from communicating with their C2 servers to protect your data from being harvested and stolen.

Using security software to protect your device can also help drastically limit a malware's functionality and eliminate at least some of its destructive potential.