Apple wages battle to keep App Store malware-free

Thousands of apps have been found in recent weeks with potentially malicious components

Apple China iPhone
The iPhone 5S at a Beijing Apple store Credit: Michael Kan

Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace.

Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices.

While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so. 

Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free. Apple officials didn't have an immediate comment.

"The common theme we are seeing is this new wave of attacks against iPhones and against iOS," said Peter Gilbert, a mobile software engineer with FireEye, in an interview.

That's worrying for enterprises tasked with keeping corporate data and passwords entered on employees' mobile devices out of the hands of hackers.

Apple reviews apps submitted by developers for its store. That process has somewhat rankled developers, who have complained the process is too slow.

The upside is that the App Store has not had the same problems with malware as Google in its Play Store for Android devices.

But hackers are now "really looking for ways to get vast numbers of apps in the App Store in these legitimate channels and getting past whatever the barriers that are put up there," Gilbert said.

Those efforts appear to largely centered in one place: China.

On Wednesday, FireEye said it discovered 2,800 apps in the U.S. and Chinese versions of the App Store that contained a potentially malicious code library used to deliver advertisements.

The ad library, mobiSage SDK, was developed by a Chinese company called adSage. The library had been incorporated into the apps by developers, who may have been unaware it had data-stealing capabilities. FireEye nicknamed the scheme iBackDoor.

Gilbert said the ad library was capable of loading JavaScript from a remote server. It would then be possible to take screenshots, capture audio or monitor a device's location. 

AdSage, based in Beijing, couldn't be immediately reached for comment. It has since released an updated version of the mobiSage SDK, which does not have the backdoor capability. 

Gilbert said it's possible that someone took adSage's product, added the malicious capabilities and then made it available for developers.

The latest finding adds to other recent issues in the App Store. 

In mid-September, Palo Alto Networks found 39 apps that contained a modified version of Apple's Xcode development tool. That version, which was dubbed XcodeGhost, could add hidden malicious code to apps it is running on.

A few days later, the mobile security company Appthority found 476 apps infected with XcodeGhost. Then FireEye said the problem was much worse: it uncovered 4,000 apps containing XcodeGhost.

The larger question is how the apps were able to bypass Apple's review.

David Richardson, an iOS expert with Lookout Mobile Security, said it's often hard to figure out at first glance the intent of an app.

Many of the capabilities built into XcodeGhost and the mobiSage SDK were not dissimilar to technologies used by ad networks or analytics platforms that Apple allows, he said.

But it was clear that the counterfeit version of Xcode didn't come from Apple, which was a big tipoff to malicious intent, Richardson said.

The mobiSage SDK case is more fuzzy: the ad library doesn't do anything outright malicious, which is possibly why Apple gave it a pass to the store, Richardson said. 

Still, FireEye labeled the apps using it as "high risk" in its blog post.

Claud Xiao, a security researcher with Palo Alto Networks, said how Apple reviews apps for security is largely a mystery.  

"Nobody knows how they do it," said Xiao, who did extensive research into XcodeGhost.

There are a couple of methods for reviewing code. Static analysis looks at individual lines of code, while dynamic analysis watches how an application behaves.

But malware writers have long used advanced techniques to obscure what they're doing in order to evade security scans and code reviews, Xiao said.

A cursory review of an app may not be able to detect if one was developed using the counterfeit version of Xcode or the legitimate version, he said.

The XcodeGhost and the mobiSage SDK problems show that Apple's code reviews are "not as perfect as we thought before," Xiao said.  

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.