Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

First iOS Malware Discovered In Apple's App Store

timothy posted about 2 years ago | from the still-a-pretty-good-track-record dept.

IOS 171

New submitter DavidGilbert99 writes "Security experts have discovered what is claimed to be the first ever piece of malware to be found in the Apple App Store. While Android is well known for malware, Apple has prided itself on being free from malicious apps ... until now. The app steals your contact data and uploads it to a remote server before sending spam SMS messages to all your contacts, but the messages look like they are coming from you."

cancel ×

171 comments

Sorry! There are no comments related to the filter you selected.

First *malware* perhaps (5, Interesting)

GameboyRMH (1153867) | about 2 years ago | (#40554667)

...but years ago there was a tethering app disguised as a flashlight app so it's been possible for a long time.

Re:First *malware* perhaps (0, Flamebait)

tripleevenfall (1990004) | about 2 years ago | (#40554707)

Fair enough.

Score is now 1,000,000 serving 2. (unless you count the CarrierID stuff!)

Re:First *malware* perhaps (4, Interesting)

GameboyRMH (1153867) | about 2 years ago | (#40554753)

With users relying entirely on the app store's curation process for security and a relatively low interest from the computer security community on the platform, I'd bet there are a lot of apps doing shady stuff with iOS users' personal data right now.

Re:First *malware* perhaps (5, Informative)

GameboyRMH (1153867) | about 2 years ago | (#40554933)

Addendum: Looks like I'm right:

http://apple.slashdot.org/comments.pl?sid=2959773&cid=40554831 [slashdot.org]

Re:First *malware* perhaps (4, Informative)

jittles (1613415) | about 2 years ago | (#40554819)

I don't believe this is the first instance of iOS malware at all. Its the first time they have found it. And they only found it because the app author was stupid. There are probably tons of iOS apps that steal all of your contact info, you just have no way of knowing about it. I am pretty sure such apps have been acknowledged by apple in the past, and subsequently removed from the app store.

Re:First *malware* perhaps (3, Interesting)

Em Adespoton (792954) | about 2 years ago | (#40555115)

This isn't even the first time they've found it... functionally, the app does nothing that the Facebook app doesn't do, except for forge your SMS credentials. I doubt Apple's going to be pulling the Facebook integration from iOS 6 though....

TFA does not even have a smoking gun .. (-1)

Anonymous Coward | about 2 years ago | (#40554967)

This seems very ... fishy in general.. since yah theres literally thousands of "malware" starting with Google, Facebook, zynga and god knows how many others..

That every time you look at an app they have its sending an email (or trying to) to everyone you know to get them to particpate as well..

The trasnfer of funds to a different named company raises a red flag.. but not if that company is the real company and they are just the provider of the service etc..

The article seems to be fear mongering by a security company something they have been trying to do for ages..

Wtb indepedant proof that this is a legit threat and not just fear mongering and blowing smoke

Re:TFA does not even have a smoking gun .. (1)

blackest_k (761565) | about 2 years ago | (#40555713)

hmm same day that microsoft announced an android botnet no less. Guess it means if you want to be secure with your mobile phone you need to be using windows mobile 7... or 8 or something.

Or perhaps it's time to dump on the two main mobile o's in an effort to market windows phone.

Re:TFA does not even have a smoking gun .. (0)

Anonymous Coward | about 2 years ago | (#40556191)

More like no one gives a shit about an OS that has no marketshare.

Re:First *malware* perhaps (3, Insightful)

mystikkman (1487801) | about 2 years ago | (#40555113)

...but years ago there was a tethering app disguised as a flashlight app so it's been possible for a long time.

A tethering app is malware... but only according to Apple.
For their users, it's an extremely useful piece of software.

Are you sure? (5, Funny)

Minwee (522556) | about 2 years ago | (#40554715)

The app steals your contact data and uploads it to a remote server

So it's just iCloud?

sucks to be the 5 people to use this app (4, Funny)

alen (225700) | about 2 years ago | (#40554719)

i might download it just to give it some ranking in the top free apps

otherwise it will be lost in the ocean of apps

Re:sucks to be the 5 people to use this app (1)

Em Adespoton (792954) | about 2 years ago | (#40555129)

The App's in Russian -- there's likely very few users (other than security researchers) outside of iTunes Russia who've downloaded it (until now).

Trouble in paradise (2, Funny)

DigiShaman (671371) | about 2 years ago | (#40554729)

The garden walls have been breached! Oh noes!

Re:Trouble in paradise (-1)

Anonymous Coward | about 2 years ago | (#40554827)

In the time it will take you to read this just as many Android phones will be infected as iOS devices that have ever been infected from the Apple Apps Store.

Re:Trouble in paradise (2, Insightful)

Mister Whirly (964219) | about 2 years ago | (#40556307)

Oh, so becasue Android phones get infected too than that means we can all just pretend iPhones can't be. Brilliant! Thanks Anonymous Coward now I can go back about my business and stop all this ceaseless worrying!

Re:Trouble in paradise (3, Insightful)

jellomizer (103300) | about 2 years ago | (#40555119)

Well it was sneaky the way it got threw. In general what the App does in its description required it to pull all this data off your phone. Then it needed to send the data to the cloud to match the correct name to get their phone number. Thus, it seemed to do what it says with a normal code review.

Re:Trouble in paradise (0)

Anonymous Coward | about 2 years ago | (#40556287)

Well it was sneaky the way it got threw.

Correction: it was sneaky the way it got throne.

Re:Trouble in paradise (1)

camperslo (704715) | about 2 years ago | (#40555465)

The garden walls have been breached! Oh noes!

Don't worry, a fleet of drones disguised as Angry Birds are closing in on the miscreant developer. Perhaps you'd like to buy an app that controls them?

No doubt... (4, Insightful)

Shoten (260439) | about 2 years ago | (#40554735)

Some will say that the Apple App Store is "no longer secure." This is ridiculous. It took 5 years for the first malware to show up...that's pretty damned good. Nothing is impermeable, after all. But the real value is that the malware can easily be removed...and its source eradicated. So it's not only about keeping malware out via the App Store, but also in having a swift and flexible response option for just this sort of occasion. Good security fails gracefully and a good defense in depth allows for easy recovery, and it looks to me like Apple meets those criteria.

Re:No doubt... (4, Insightful)

unlucky ducky (2525132) | about 2 years ago | (#40554911)

This is the first found and publicly revealed malware, it does not necessarily have to be the first malware on the platform. We have no way of actually knowing whether there's already been other malware in the store before.

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40556219)

But since the only way to get software onto the platform is through the App Store, that becomes irrelevant...unless you've jailbroken your device. And because jailbreaking voids your warranty, malware contracted through non-App Store isn't Apple's problem.

Re:No doubt... (1)

Anonymous Coward | about 2 years ago | (#40554953)

iOS would still be more secure if they applied the same options they do for location services to other sensitive functionality. That is let the user enable/disable it for specific apps.

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40555139)

They do this in iOS 6. Any app attempting to access data like your contacts will have to get your authorization to do so. I've had a few apps that apparently do this already that started prompting once I upgraded to the iOS 6 beta.

They have separate sections for calendar, contacts, photos, reminders, and location services.

Re:No doubt... (1)

adamstew (909658) | about 2 years ago | (#40555179)

They are starting to do this with iOS 6. I have they beta on my device and anytime an app wants access to your contacts, calendar information, reminders, and/or photos the OS asks the user if it's okay for the app to access such things.

Re:No doubt... (2)

CanHasDIY (1672858) | about 2 years ago | (#40555665)

They are starting to do this with iOS 6. I have they beta on my device and anytime an app wants access to your contacts, calendar information, reminders, and/or photos the OS asks the user if it's okay for the app to access such things.

In other words... Windows UAC.

Re:No doubt... (1)

mlts (1038732) | about 2 years ago | (#40555225)

Doesn't BlackberryOS do this? Apple really should take a page from that PlayBook and have permissions for apps accessing the phone or text items, contacts, music, and photos. It wouldn't add that much clutter, and it would add a lot of protection.

On the cheap, maybe Apple should see about licensing the Cydia app Protect My Privacy and building that into the OS. That way, if an app does go and access stuff it shouldn't, it will get results, although it will just get a random UDID and garbage in the fields.

Contact list protection would help immensely if an app glitches like Facebook's and starts overwriting or appending contact fields without permission.

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40555611)

Yeah, that's working real well for Android.

Re:No doubt... (2, Informative)

mlts (1038732) | about 2 years ago | (#40554993)

Once malware gets rooted out and Apple slams the banhammer down, it is a lot harder for a shady developer to get around closed accounts than on the Google Marketplace. This by itself keeps the bad guys on notice.

That is the main security mechanism of iOS which keeps the bad stuff at bay: As soon as Apple gets wind of something malicious or violating the rules, it gets tossed out immediately. The same action doesn't get repeated.

Now, once an app does get past the gatekeeper, it has a lot of room to play because only locations and alerts are granted/denied by the user. So, in theory, an app can copy pictures and contacts off, as well as send text messages all it wants. However, if users find something doing this, Apple squashes it.

Since Apple's reputation is on the line for security, the strong gatekeeper has shown that it is more secure than the weak gatekeeper/strong OS security of the Android ecosystem. Google needs to get with it and start having a tier of the Marketplace that requires apps to be actively approved, similar to what Amazon does.

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40555097)

fuck no it doesn't.
There's this old saying, I think it goes: "Those who'd give up freedom for security deserve their phone to be stuck on an endless loop of goatse, tubgirl,and 2girls1cup."

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40555315)

As one AC to another, I keep thinking the same thing.

The parent is proposing a tier of the marketplace for approved apps, but that doesn't force the user to use them--and it shouldn't require anyone to use them.

I'm sick of this focus on security to the exclusion of everything else. Apple also has banned Pulitzer-prize winning artists from their store as well. Why don't we value that as much? The whole UEFI nonsense comes from this false idea that you need to give control over to someone else to have security.

Yes, if you require that *everything* on your fricking hardware needs to be approved by the corporation taking your money, then it will be more secure. But at what cost? Do we really want to sanction conflicts of interest (involving the person taking your money and providing your security) to have security?

We need another choice besides "open insecurity" and "authoritarian security." This is going down an unacceptable road.

Re:No doubt... (3, Insightful)

mlts (1038732) | about 2 years ago | (#40555623)

One answer would likely be tiers:

The first tier would be actively approved apps.

Then, if the user so chooses to set foot into Mordor, there can be a tier of apps that are downloadable almost immediately, and pulled if people justifiably report it as malicious.

This type of system has worked on jailbroken phones, where the App store serves one tier, and Cydia serves another. Since it takes a little bit of effort to JB an iPhone, generally someone is clued enough to be able to watch out for Trojans.

What this is protecting against, is arguably the biggest security hole of all; the user. Most smartphone users are not anywhere as savvy as a /. reader. The casual user will see an app that might offer "cool smilies", install it by reflex, and go on their merry way. On iOS, the damage a user can do is limited [1]. On Android, it is fairly easy to find apps that are malicious, and where a competent person would not install a fleshlight app that asks for full phone, GPS, contact, photos, and filesystem access (or even a prompt for a su), an inexperienced user will just click "install" nontheless, then scream that Android is insecure when they get bitten. iOS is designed to keep this from happening. Only beta code, Cydia apps, and enterprise apps are not coming through Apple's gateway. It is almost certain that the worst an iOS app can do is lighten the user's pocketbook due to its cost, or the cost of in-app transactions.

This isn't exactly the "dancing bunnies" security hole, but protecting the ignorant user from themselves is the difference between a platform having a rep as secure versus easily compromised.

I like both worlds. Have some barrier so a user doesn't exit the managed tier without a deliberate decision, then if they choose to, allow them to do what they want. This keeps the novices from footshooting while allowing people with a clue to use their device to the fullest.

[1]: Assuming the user doesn't JB, but generally if someone is clued enough to jailbreak, they will either know what they are doing, or end up having a clued friend DFU restoring their device and not do it again.

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40556373)

Then, if the user so chooses to set foot into Mordor, there can be a tier of apps that are downloadable almost immediately, and pulled if people justifiably report it as malicious.

What is so bad about Pakistan [youtube.com] ?

Re:No doubt... (3, Interesting)

h4rr4r (612664) | about 2 years ago | (#40555509)

What stops that dev from spending another $99 on another dev account?
Not that hard or expensive to kill your old corporation, start another and get a new AMEX.

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40556063)

What stops that dev from spending another $99 on another dev account?
Not that hard or expensive to kill your old corporation, start another and get a new AMEX.

You can bet that the Apple review process will be looking hard at similar apps from Russia from now on.

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40555089)

It took 5 years for the first malware to be identified. Who knows how many there are currently in distribution that no one has caught.

Re:No doubt... (1)

sl4shd0rk (755837) | about 2 years ago | (#40555229)

Some will say that the Apple App Store is "no longer secure." This is ridiculous.

Um.. allowing people to install malicious software from a source deemed 'trustable' is actually a pretty big security hole. What's more is now you need to ask the question: "How do we know there aren't more and how can we prove it?".

Re:No doubt... (4, Insightful)

amicusNYCL (1538833) | about 2 years ago | (#40555281)

Some will say that the Apple App Store is "no longer secure." This is ridiculous.

Right, it would be more accurate to say that it never really was "secure", it was just heavily audited. It shouldn't be a surprise to anyone that malicious apps will manage to sneak through the audits from time to time.

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40555351)

The app store never was secure. You should not trust an app just because you download it from the App Store.

This is similar to saying (for example) that the Yahoo home page is secure. It is not, malware has shown up in their advertisements.

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40555367)

Spoken like a true zealot. Being the "first to show up" does not equal "first to exist". You have no idea that this hasn't been happening for years and as Apple find them, they remove them, silently. Furthermore, you have no idea when security people outside of your beloved cult decided to start looking in iOS malware.

Re:No doubt... (5, Insightful)

rolfwind (528248) | about 2 years ago | (#40555437)

Some people tend to have an all-or-nothing nature, especially when it concerns something they go partisan over - like Apple.

I've easily had dozens of arguments over the years where I argued Apple was the more secure solution for the average user, people responded with pwn to own or some such, and if I argued further, they just labeled me as a "fanboi" as if that ended the argument even if I argued the Unix underpinnings. Nevermind that I use W7 and Ubuntu myself, or that it's my own personal experience having to play tech support to an entire tech-challenged family that's both hardworking and lucky enough to afford to have a choice. Sure, I could put them on OpenBSD or HardenedLinux, but the first obstacle they run into, they say "Why can't I do yadayadayada" they'll go and find a way to install Windows on it, which is perfectly fine by itself, and start downloading mouse icons that look like toy trojan horses and what not.

The mindset of Y turns out to not be perfect, so it's on the same level of X, must originate from politics because the whole feel of the debate seems political. It's a retarded mentality to have, akin to cheering for wrestlers and their bogus storylines. It's sad that it has crept into tech so pervasively and that's what the whole last decade felt like on any issue - stupid partisan cheerleading for one side or the other, or booing against one side or another.

The truth of a walled garden is that it's the most practical solution for most consumers, who really don't or can't police what they're doing. I wouldn't want to live in one exclusively, nor would most geeks, but that's why they're geeks, they go above and beyond the artificial constraints and don't need the protection.

Re:No doubt... (1)

Post-O-Matron (1273882) | about 2 years ago | (#40556325)

The mindset of Y turns out to not be perfect, so it's on the same level of X, must originate from politics because the whole feel of the debate seems political. It's a retarded mentality to have, akin to cheering for wrestlers and their bogus storylines

While I agree with your analogy, the reason for the "Y ISN'T PERFECT! Y ISN'T PERFECT" mentality, is the "Y IS BETTER THAN X! Y IS BETTER THAN X!" mentality on the other side. This is the same cause for it in politics. As the (left|right) claims that their way of doing things is better and then mocks / forces it on the (right|left) responds by showing that the (left|right)'s way actually isn't perfect and then mock it / forces it way.

Re:No doubt... (1)

Post-O-Matron (1273882) | about 2 years ago | (#40556353)

OMG did I write this? I swear my English is usually better and I'm not drunk. Just didn't proof read... ><

Re:No doubt... (4, Insightful)

gl4ss (559668) | about 2 years ago | (#40555489)

it's not nearly the first ios app that sends contact infos off the phone for no particularly good reason.

Re:No doubt... (4, Insightful)

Shoten (260439) | about 2 years ago | (#40556079)

it's not nearly the first ios app that sends contact infos off the phone for no particularly good reason.

Very true...but despite my best efforts to raise awareness, Facebook has yet to be classified as a very large botnet :)

Re:No doubt... (0)

Anonymous Coward | about 2 years ago | (#40555731)

FWIW I have submitted a moderately popular app which, following a particular response from the server, uploads full contact data without user permission (instead of specific contacts with explicit user permission). This means that you could target particular individuals of importance (or even your ex) to find out information about their relationships etc. I've tried to make the behaviour un-obvious from looking at the source, i.e. "feature with unintentional side effects" sort of bug, in the hope that it's compiled down to something also non-obvious. Not that I expect Apple to do any sort of decent static or dynamic analysis.

~1.5 years later, it's still there.

I know of at least one other person who tried something like this, and his app was quietly pulled with a stern word from Apple.

The point is that Apple isn't interested in making a secure platform. They're merely interested in making a platform with the *appearance* of security. This in turn means little interest in Apple from the security community - everyone knows what you can get away with already and it's not much of a challenge. Contrast with Google who are pretty good with their disclosure.

Put another way, it's /really hard/ to get to the point of a mature set of tools for binary vulnerability analysis. The Windows platform has been there for a good decade. OS X is getting there. Android's there because, well, whatever the OSS zealots say, it's a lot easier to find problems when you've got the source.

Re:No doubt... (4, Interesting)

Crudely_Indecent (739699) | about 2 years ago | (#40555853)

It took 5 years for the first malware to show up.

Wrong! It took 5 years for the first malware to be identified and publicly acknowledged.

How many more exist secretly, awaiting a clever analyst?

Re:No doubt... (2)

stephanruby (542433) | about 2 years ago | (#40556073)

Some will say that the Apple App Store is "no longer secure."

Who cares about the Apple App Store no longer being secure if the iPhone itself lost that claim long ago? You iPhone users are just playing with semantics here. If your iPhone can be compromised by just being directed at a web site (as it did a while ago), it really doesn't matter much if the App Store is secure or not.

Besides, I'm not even sure if the latter claim of the Apple App Store being secure is that true to begin with. Many iTunes users, including some app developers, have had their iTunes account credentials stolen and their account hijacked. In my opinion, that vulnerability at the server-side is just as bad as the previous iOS vulnerability on its client-side, since your iTunes account is pretty much used for everything -- including developer accounts.

And the last time I checked, which granted is over one year ago (so my information is hopefully outdated by now), google users could add 2-factor authentication to their account, but iTunes users still couldn't.

App is/was also available for Android (5, Informative)

Anonymous Coward | about 2 years ago | (#40554743)

So they targeted both groups.

This isn't new! (0)

Anonymous Coward | about 2 years ago | (#40554789)

The app steals your contact data and uploads it to a remote server before sending spam SMS messages to all your contacts, but the messages look like they are coming from you."

That is exactly what WhatsApp Messenger does. They take all your contact info (you agreed to the terms of use) and sends spam to your contacts.

I have no idea why WhatsApp is so popular.

It's instant messaging, but limited to cell phones.

There are many other IM networks that are available for mobile, with an existing large installed base: google talk, msn messenger, ICQ, etc. WhatsApp has no advantages over the existing IM networks. I just don't get it.

Re:This isn't new! (2)

GameboyRMH (1153867) | about 2 years ago | (#40554899)

Damn, I knew it was a useless locked-in piece of shit, but I didn't know it was malware! And just today I told a coworker that it was fine to use (apart from the lockin and relative uselessness) on Blackberry.

Re:This isn't new! (1)

the_B0fh (208483) | about 2 years ago | (#40555087)

since when does it spam your contacts?

Not surprising... (5, Informative)

Anonymous Coward | about 2 years ago | (#40554831)

One of my beefs about iOS is that even though it will ask the user if an app attempts to use the GPS or notification, there are plenty of juicy things that can be obtained and copied elsewhere. Photos are protected against being deleted, but they can be slurped up and copied off without the user knowing. Same with contacts and music.

I'm surprised this was caught. If a person jailbreaks their device and runs PMP (Protect My Privacy) and Firewall IP, they will see a lot of apps digging in places where they shouldn't be, and sending lots of data to sites that have zero relevance to the task at hand. One major news app connects to so many sites without DNS (just via IP addresses) that I ended up just blacklisting all but the few sites it gets news info.

I would say where the rubber meets the road, iOS has been more secure, because Apple guards the gateway and does it well. However, if anything malicious does make it past, it can have a field day.

Re:Not surprising... (5, Insightful)

samkass (174571) | about 2 years ago | (#40555117)

Yeah, this is fixed in iOS 6. Separate prompts for Location, Contacts, Calendars, Reminders, Photos, and after the fact you can see who requested it, who currently has access, and toggle them.

My only complaint is that the App Store doesn't give you this information before you download the app. Developers should have to declare that they want to access any of these things (and show ads, and have in-app purchases), and the App Store listing should contain the information about what the app is going to want to do before you buy it.

Not for my iPad 1 (0)

Anonymous Coward | about 2 years ago | (#40555607)

It's annoying that apple aren't implementing this security feature in iOS 5 (which will be the latest version of iOS that my iPad 1 will be able to run)

Re:Not surprising... (1)

farble1670 (803356) | about 2 years ago | (#40555695)

My only complaint is that the App Store doesn't give you this information before you download the app.

android has done with since it's inception, both for app store installed and side-loaded apps.

Re:Not surprising... (0)

Anonymous Coward | about 2 years ago | (#40555779)

Yeah, this is fixed in iOS 6. Separate prompts for Location, Contacts, Calendars, Reminders, Photos, and after the fact you can see who requested it, who currently has access, and toggle them.

Welcome to the club. Blackberry did that about 8 years ago, if not longer.

Re:Not surprising... (1)

trptrp (2041816) | about 2 years ago | (#40555947)

yes, that would be the way to go.

But I hate the App Store. I doesn't help you separate the wheat from the chaff.
There are some good apps that don't phone home at all, but the norm is to at least contact hockeyapp or another usage-info-collector.
That's why I use Firewall IP.

Re:Not surprising... (1)

Em Adespoton (792954) | about 2 years ago | (#40555177)

I would say where the rubber meets the road, iOS has been more secure, because Apple guards the gateway and does it well. However, if anything malicious does make it past, it can have a field day.

...for a limited time. Apple pulled the app from the store almost an hour before this hit Slashdot.

As for this being caught... that doesn't take much: all it takes is the first few people complaining about you spamming them via SMS, and the gig is up.

Re:Not surprising... (1)

Anonymous Coward | about 2 years ago | (#40555925)

So there is no problem, malware will get caught.

But wasn't Apple supposed to filter all stuff before it hits the public? This does show errors will be made and malware will be able to get permission from the guardian to be installed.

Just maybe... (1, Funny)

kiriath (2670145) | about 2 years ago | (#40554897)

Maybe these are the bastards that broke Angry Birds!!!!!!11 =D

Details missing? (2)

bhlowe (1803290) | about 2 years ago | (#40554907)

Any estimate of the number of people who installed it and ran it? Did it have a useful function that would get people to install it from the 500K other iOS apps? Did the app have any ratings that suggested that it was worth installing? Was the app Russian language only? (English language apps probably get more scrutiny, since the app reviewing is done by Apple in Cupertino...) Did anyone check with PayPal to see if the account has been closed and if refunds are due?

Inspected by ?? (1)

jdastrup (1075795) | about 2 years ago | (#40554923)

Does anyone know how the app approval process works exactly? Is there 1 person or a team responsible for every app submitted? Do they only look at the inputs/outputs and overall UI, or do they look at every line of code? For example, what if I write a game that does something malicious on level 39, beyond what the Apple inspectors will likely reach in playing the game during the review process? And what if Level 39 is not anything malicious on the network, contact, sms, phone level, but just displays something that may be considered malicious or against Apple policy, e.g. pornographic images? Just seems to me that there has got be ways to get past their inspection process if you know what it is, or even by guessing.

Re:Inspected by ?? (1)

kagaku (774787) | about 2 years ago | (#40554995)

You'd likely get that past the inspections, but once discovered it would be quickly removed.

From what I hear, the reviewers do a combination of testing the application (and for anything that has an online/account component, they request a fully functional unrestricted account to test with) and analyzing the application with tools that look for usage of private/restricted frameworks. I'm sure there is more to it, but they're definitely not going line-by-line through the code. When you submit an app to the app store, you're not submitting your source code - you're only submitting a final version of the application binaries.

Re:Inspected by ?? (1)

Em Adespoton (792954) | about 2 years ago | (#40555295)

The app itself doesn't really do anything malicious -- it snarfs down your address book and grabs your SMS ID -- which are things done by countless other apps. The malicious bit is all done server-side, where the "company" sends promotional SMSes out to everyone in your address book, spoofing your SMS ID. ...and the App was removed within an hour of Apple being made aware of the situation.

Let me be the first to say that... (-1)

Anonymous Coward | about 2 years ago | (#40554935)

ANDROID SUCKS!

Re:Let me be the first to say that... (-1)

Anonymous Coward | about 2 years ago | (#40554947)

First one to say that? Really? I've been saying it for years.

Re:Let me be the first to say that... (-1)

Anonymous Coward | about 2 years ago | (#40555261)

Troll Troll Troll your post ...

I thought apps needed permission to see contacts (2)

mark-t (151149) | about 2 years ago | (#40554989)

I thought Apple had, in a fairly recent iOS update, made it so that an app couldn't just silently query a person's contact data... that the application would need to declare to the OS that it was going to do this, the OS would then check with the user to see if it was okay. If the user hadn't given permission, I thought trying to access the contact data from an app would be futile.

Again, this was just my understanding here... so either this is only an issue with older iOS versions, or else my understanding is completely borked, and I have no idea what I'm talking about.

Re:I thought apps needed permission to see contact (1)

adamstew (909658) | about 2 years ago | (#40555269)

They are doing it in iOS 6, which hasn't been released yet. It is in Beta and should be released in the next couple of months.

Why doesn't this count?! (4, Funny)

Pulse301 (1146221) | about 2 years ago | (#40555029)

InstaStock was malicious and was available on the app store. Why doesn't it count as the first?

Apple approval process (0)

Dwedit (232252) | about 2 years ago | (#40555065)

This is just proof that Apple's rigorous app approval process consists solely of a dartboard.

Re:Apple approval process (2)

mr100percent (57156) | about 2 years ago | (#40555175)

865,000 apps approved for the App Store, and yes, one got through. And you think it's nothing more than Apple randomly selecting apps to let in.

Re:Apple approval process (3, Insightful)

MachDelta (704883) | about 2 years ago | (#40555237)

It would be more accurate to say one got caught. There could be others running wild that have slipped the net.

Re:Apple approval process (0)

Anonymous Coward | about 2 years ago | (#40555603)

You could say that about ALL OSes. Maybe rootkits are in half of all Windows 7 installations that nobody knows of.

Re:Apple approval process (1)

MobileTatsu-NJG (946591) | about 2 years ago | (#40556023)

Serious question: How do they get caught on Android?

Re:Apple approval process (1)

mlts (1038732) | about 2 years ago | (#40556367)

I've caught some apps by looking at the permissions asked for. For example, a game that asks for everything under the sun.

Then, when you look at the reviews, they are short and pithy, or consist of text like "App work[sic] great!".

That is when you know it isn't something you want on your device.

What is ironic is that I've yet to encounter an app that would request root permissions via su that isn't supposed to. I'm pretty sure it is because I refuse to install any app that requests irrelevant permissions, but it is sort of surprising that the baddies have not taken the tack of popping up a su prompt randomly. Maybe because users who root their phones would get very suspicious very fast.

I'm sure users who install it will find out it isn't up to snuff when all their contacts first get barraged by text messages from that device, then spam outlets as the contact data gets imported into the spammer databases.

Re:Apple approval process (1)

amicusNYCL (1538833) | about 2 years ago | (#40555325)

865,000 apps approved for the App Store, and yes, one got through

that you know of

From you? (2)

dimer0 (461593) | about 2 years ago | (#40555199)

Was curious how these guys could send text messages to people looking like they came from you (because there's no way for an app to get its hands on your phone number) - but realized from TFA that the user was prompted to enter their mobile phone number into a text box (and no validation was done on that). So, for idiots, it might look like it was coming from you. But there's no F'in way I'm entering my phone number into an app I download from the app store.

Re:From you? (1)

tlhIngan (30335) | about 2 years ago | (#40555771)

Was curious how these guys could send text messages to people looking like they came from you (because there's no way for an app to get its hands on your phone number) - but realized from TFA that the user was prompted to enter their mobile phone number into a text box (and no validation was done on that). So, for idiots, it might look like it was coming from you. But there's no F'in way I'm entering my phone number into an app I download from the app store.

Odd, considering there are APIs to get the phone number already. Especially since well, your phone should know its number already.

I find it interesting though that since the iOS APIs disallow sending SMSes without user confirmation, that they have to be using a third party SMS service. An interesting runaround to the iOS restrictions in that case.

Time for Apple to tell us who the offender was... they have their name and address after all.

Gone already (1)

Arkham (10779) | about 2 years ago | (#40555289)

The app is already gone off the App store, at least in the US.

Stopping malware (3, Interesting)

DaMattster (977781) | about 2 years ago | (#40555313)

One way to stop the proliferation of malware in these so-called app stores is to not allow the submission of binaries. Force the author to submit source code instead so it can be audited and then have Apple build the binaries. Apple could then put the binary through its paces to see how it behaves. I'm not necessarily advocating this method because there are multiple points for abuse but it is one way to thwart the problem. It would force the would-be malware writers to innovate and adapt and that would not be easily done.

Re:Stopping malware (1)

aardwolf64 (160070) | about 2 years ago | (#40555649)

Apple can easily decompile the binaries. That's how they know if you're using private APIs.

Copying google again? (1)

thetoadwarrior (1268702) | about 2 years ago | (#40555337)

Next thing you know they'll have to get their own botnet for the iphone and it probably won't even be compatible with the android botnet and they'll patent it, obviously.

The real news (0)

Anonymous Coward | about 2 years ago | (#40555339)

Is it's sending an SMS!

My boss has yet to figure out how to do that with his glass brick. I always get MMSes, (which don't make a noise... hrm... maybe I shouldn't complain)

Meh (3, Insightful)

WankerWeasel (875277) | about 2 years ago | (#40555457)

It was also available in the Google Play store too. With the hundreds of thousands of apps that they have to review, it was bound to happen sooner or later. Plenty of apps grab your address book info including the Facebook app. What it does with them Apple has little control over. Facebook could choose to spam them on their server side and Apple couldn't prevent it (other than no longer allowing apps to access contact info).

Thank you very much for sharing (0)

Anonymous Coward | about 2 years ago | (#40555481)

This is an enlightening bit of information.

While Android is well known for malware, Apple has prided itself on being free from malicious apps

I now have an excellent go-to example of what "begging the question" is. Great work!

its not the first and its not malware but... (1)

zr (19885) | about 2 years ago | (#40555491)

...it drives traffic so why not.

this is buggy beta software. guess what, beta software has bugs, some bugs are worse than others. this one went all the way to eleven.

Re:its not the first and its not malware but... (0)

Anonymous Coward | about 2 years ago | (#40555711)

I mod the wording of the submission as -1 Flamebait.

It can't be the only malware (1)

DrXym (126579) | about 2 years ago | (#40555537)

It's impossible for Apple to review every program or test it to a degree to ensure it's safety. All the bad guys need to do is produce a seemingly useful application which calls home for legitimate purposes, make it work as advertised and the remotely flip switch at some point into malicious mode. The malicious code could be obfuscated. It would be trivial to do and the bad guys would clearly know that too.

iSnitch (1)

srussia (884021) | about 2 years ago | (#40555581)

Is there no "Little Snitch" app out there?

android well-known for malware? (4, Insightful)

farble1670 (803356) | about 2 years ago | (#40555613)

While Android is well known for malware,

in theory, and not in practice that is. the *only* thing that makes android more vulnerable is apple's more severe vetting for apps in their store, and the fact that android apps can be "side loaded", or installed from arbitrary sources (other than the google play store). side loaded is disabled by default and must be explicitly enabled by the user after subjecting them to a scary warning dialog.

android security model of fine-grained permissions that are presented to the user before the app is even installed is superior to iOS. what android doesn't do is protect users from their own stupidity. read the permissions. if you choose to go ahead and install that flashlight app that requests permission to the internet and to read your contacts, you'll get what you deserve.

Re:android well-known for malware? (0)

Anonymous Coward | about 2 years ago | (#40555813)

dude, android IS the malware.

Re:android well-known for malware? (0)

joh (27088) | about 2 years ago | (#40556303)

The fine-grained permissions are informative but nothing more. You either accept them or not install the app. There's no actual control for the user. I really, really hate that.

Re:android well-known for malware? (1)

farble1670 (803356) | about 2 years ago | (#40556405)

The fine-grained permissions are informative but nothing more. You either accept them or not install the app. There's no actual control for the user. I really, really hate that.

first, it's better to know before hand so you can avoid the malware getting on your device. one it is installed, who knows that it has done.

second, it would not be practical for an app to be written to gracefully handle the user accepting or denying all possible combinations of permissions. well, maybe that's too strong. at the very least, it'd be a pain in the arse. if you were a developer you'd thank your lucky stars that it works like this.

Malware on my teh spyPhone? (0)

Anonymous Coward | about 2 years ago | (#40555681)

But Steve'o said it's Unpossible!1

thought it was (1)

PieceOfShitAndroid (2538056) | about 2 years ago | (#40555805)

i thought it was going to be a story about the Facebook app. Oh well.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>