Wandera researchers have discovered 17 apps in Apple’s App Store that contained a clicker module, designed to perform covert ad fraud-related tasks such as opening web pages and clicking on links and ads.
The offending apps were free and fell into several application categories, including productivity, platform utilities, fitness, media and travel:
- RTO Vehicle Information
- EMI Calculator & Loan Planner
- File Manager – Documents
- Smart GPS Speedometer
- CrickOne – Live Cricket Scores
- Daily Fitness – Yoga Poses
- FM Radio PRO – Internet Radio
- Around Me Place Finder
- Easy Contacts Backup Manager
- Ramadan Times 2019 Pro
- Restaurant Finder – Find Food
- BMI Calculator PRO – BMR Calc
- Dual Accounts Pro
- Video Editor – Mute Video
- Islamic World PRO – Qibla
- Smart Video Compressor
- My Train Info – IRCTC & PNR
All except the last one had been published by the same developer: AppAspect Technologies Pvt. Ltd. (Though, not all of the apps published by that developer contained the malicious clicker functionality.)
We’ve been told that, during testing, the apps exhibited evasive behavior that was consistent with rather sophisticated malware. Ultimately, the researchers found that all the “infected” apps communicated with a single C&C server using a strong encryption cipher that they’ve been unable to break.
What’s interesting is that the C&C server was flagged a few months ago by Dr. Web researchers, as part of a similar clicker trojan campaign on Android. In that particular case, the “infected” Android apps were found to be gathering device information and configuration details, receiving instructions on which website addresses to open and which links to load and, in some cases, automatically subscribing users to expensive services.
The apps have been removed
Apple is doing a good job keeping malware and scammy apps out of the App Store but, of course, no vetting process is infallible. Trojanized apps getting into it is not unheard of and researchers have proven that there are ways to stymie Apple’s app review efforts.
Wandera researchers notified Apple of their discovery and the apps have since been removed from the App Store.
An Apple spokesperson told Help Net Security that 18 apps were removed for having code that allows for the artificial click-through of ads (a violation of their guidelines), and that they’ve updated their tools to detect future submissions of these types of apps.
The researchers noted that AppAspect Technologies also has a developer profile on Google Play, with 28 published apps. They tested them and found that none of these Android apps communicate with the aforementioned C&C server.
“However, additional research found that AppAspect’s Android apps had once been infected in the past and removed from the store. They have since been republished and don’t appear to have the malicious functionality embedded. It’s unclear whether the bad code was added intentionally or unintentionally by the developer,” they added.
Seeing that AppAspect Technologies’ developer account hasn’t been suspended by Apple, the latter case seems more likely.