Information regarding the protection offered

[Massimiliano]

One request to @treed or other Malwarebytes for iOS staff members.

I would be interested to know if Malwarebytes for iOS offers protection against apps similar to the 17 developed by AppAspect Technologies Pvt. recently discovered on the AppStore by Wandera Threat Labs (which contain Malware that can be activated later via C&C server) and promptly removed by Apple or if it is possible to implement a protection of this type if it is still not present or alternatively what a user can do to protect himself from this.

Thanks

Regards

Massimiliano

[alvarnell]

Generally speaking, Apple rules do not allow apps to monitor other apps, so users must rely on Apple Security and Engineering to properly vet apps to ensure they aren't doing such things.

And from what I was able to gather from the researcher, it's not necessarily malware in that it doesn't do anything malicious to the user. It's designed to produce revenue for the developer by faking clicks on ad links. That should have a negligible impact on the user. It's the folks that sponsor the ads that are being ripped off.

[exile360]

On 10/26/2019 at 4:28 PM, alvarnell said:

It's designed to produce revenue for the developer by faking clicks on ad links. That should have a negligible impact on the user. It's the folks that sponsor the ads that are being ripped off.

True, the impact is likely negligible, however it is going to consume precious CPU cycles simulating those clicks on the user's device so at least in my opinion it is definitely still malware in the same way that crypto-currency miners are malware (and the reason that Malwarebytes blocks them).  Just like adware that embeds links in words on webpages in a user's browser and other less 'obvious' threats, this is just another scam being used by the bad guys to get paid at the expense of the user and if it can be blocked it should be, at least in my opinion.

[alvarnell]

I would have to see statistics on the impact faking clicks has on the CPU, but can’t imagine it’s even close to what crypto mining does to battery life when active. I’m under the impression that crypto mining only happens during idle times, so CPU use isn’t the issue there. But again, I’ve not really seen any definitive information on exactly how and when these apps do their thing.

I still see no way that such activities could be blocked by a 3rd party in an iOS environment. I’m sure Apple could test for such activity before allowing them on the shelves of the App Store, and that needs to be the first line of defense in cases such as this. What these apps are doing is certainly fraudulent and should be illegal. I’m just not sure that anyone is willing to prosecute, which is ultimately what it will take to stop it. Apple should at least make every attempt to keep it out of their garden.

[exile360]

Oh yeah, I'm sure it's nowhere near that significant, it's just not something they should be allowed to do regardless.  Unfortunately smart coders can always have this kind of functionality lay dormant within an app and push out an update/script to make it start doing the bad thing again after it has been tested/checked by Apple to get into the store (many games and other apps have done the same where they would disable ads and other unwanted functionality initially, but then activate it later on once they'd made it into the web store for both Google and Apple as I recall).

[alvarnell]

14 minutes ago, exile360 said:

smart coders can always have this kind of functionality lay dormant within an app and push out an update/script to make it start doing the bad thing again after it has been tested/checked by Apple to get into the store

From the research, that would appear to be the case with these. They reportedly check with a C&C server for orders to turn on. Not the first time Apple failed to vet external communications.

[exile360]

Yep, it's happened with several adware and Trojan apps in both the Apple and Google web stores (and would probably happen to Microsoft Store apps as well if anyone ever actually wrote anything for it ).  It makes it tough for these 'secure' stores to stay secure unfortunately, and just makes the case for opening up these walled gardens to legitimate security applications that can do the job that these stores can't; keeping an eye on applications actively on users' systems/devices and stopping any malicious/unwanted behavior and malicious connections as or before they occur rather than just responding after the damage has been done to countless users and it has been reported to them.  These closed systems/devices are supposed to be more secure, but in my opinion they're anything but specifically because they don't allow anyone from the outside to analyze what's going on with the entire device and other apps installed on it.

[alvarnell]

👍