17 infected apps were discovered in the Apple App Store.
The apps contained a Trojan clicker type of malware, which communicated with a known command-and-control server to simulate user interactions. Clicker malware is usually deployed for ad fraud, and so is this case.
According to Wandera researchers, the Trojan clicker in these apps is designed to perform ad fraud in the background of affected devices. This includes opening web pages and clicking links, without the need of user interaction.
All these activities are done with one thing in mind – revenue. The revenue is generated for the attackers’ pay-per-click scheme by simply amplifying web site traffic.
What is the type of the infected iOS applications?
The apps cover a random set of app categories, the researchers said, including platform utilities, productivity, and travel. Here is a list of the infected apps:
RTO Vehicle Information
EMI Calculator & Loan Planner
File Manager – Documents
Smart GPS Speedometer
CrickOne – Live Cricket Scores
Daily Fitness – Yoga Poses
FM Radio – Internet Radio
My Train Info – IRCTC & PNR (not listed under developer profile)
Around Me Place Finder
Easy Contacts Backup Manager
Ramadan Times 2019
Restaurant Finder – Find Food
BMI Calculator – BMR Calc
Video Editor – Mute Video
Islamic World – Qibla
Smart Video Compressor
All of the apps are published by the same developer – an India-based company called AppAspect Technologies Pvt. Ltd. The company has a total of 51 apps published on the App Store.
The researchers tested all of the free iTunes apps, and the test revealed that 17 out of 35 free apps were all infected with Trojan clicker module, communicating with the same command-and-control server. It is noteworthy that this server was initially reported by Dr. Web as part of a similar ad-fraud campaign detected on Android devices.
The Android version of the clicker malware could send the following information to the C&C server, as reported by Dr. Web:
manufacturer and model;
operating system version;
user’s country of residence and default system language;
internet connection type;
data on application containing trojan.
What is mostly concerning is that all of the apps that communicate with this C&C server use strong encryption which hasn’t been cracked yet.
In addition, in the case of iOS apps, the C&C server helped the malicious apps to bypass detection because it activated communication with the attacker which was “out of reach” for Apple. “Simply put, C&C infrastructure is a ‘backdoor’ into the app which can lead to exploitation if and when a vulnerability is discovered or when the attacker chooses to activate additional code that may be hidden in the original app,” the researchers concluded.
In 2016, security researchers discovered the so-called Porn Clicker Trojan which was targeting Android devices. The Porn Clicker pretended to be a popular mobile application in Google Play. Once installed on the devices, the Trojan clicked on advertisements featured on porn websites without the user’s approval or knowledge.