A total of seventeen iOS applications infected with clicker Trojan malware made it into the Apple App Store, Wandera’s threat researchers have discovered.
The infected applications, Wandera says, communicated with a known command and control (C&C) server to simulate user interactions. Thus, they allowed operators to fraudulently collect ad revenue.
Just as other similar malware, the clicker Trojan was designed to inflate website traffic and generate revenue on a pay-per-click basis.
The Trojan performs the ad fraud tasks in the background through continuously opening web pages and clicking on links without requiring any form of user interaction.
The 17 infected applications were published in the App Store in various categories, including productivity, platform utilities and travel. However, they made it to the app store front in various countries from the same developer, India-based AppAspect Technologies Pvt. Ltd.
The developer has a total of 51 applications in the App Store, including 35 offered for free. Of these, 17 were found to be infected, Wandera reports.
These are RTO Vehicle Information, EMI Calculator & Loan Planner, File Manager – Documents, Smart GPS Speedometer, CrickOne – Live Cricket Scores, Daily Fitness – Yoga Poses, FM Radio PRO – Internet Radio, My Train Info – IRCTC & PNR (not listed under developer profile), Around Me Place Finder, Easy Contacts Backup Manager, Ramadan Times 2019 Pro, Restaurant Finder – Find Food, BMI Calculator PRO – BMR Calc, Dual Accounts Pro, Video Editor – Mute Video, Islamic World PRO – Qibla, and Smart Video Compressor.
All of the infected apps would communicate with the same C&C, which was previously exposed in a Dr. Web report on a clicker Trojan targeting Android.
The identified iOS applications use strong encryption to communicate with the C&C server. As per Dr Web’s report, the Android apps that were communicating with the same server were gathering users’ private information, including device make and model, country of residence, and configuration details.
AppAspect Technologies has 28 applications published in Google Play at the moment, but none of them was found to be communicating with the aforementioned C&C server.
However, the developer had some infected Android applications published to Google Play, although they were removed from the store. The developer has republished them, without the malicious code inside.
“It’s unclear whether the bad code was added intentionally or unintentionally by the developer,” Wandera says.
Although one of the less frequently seen threats in the wild, mobile malware is being increasingly used in targeted attack scenarios, and the newly discovered applications prove that attackers are focusing more on introducing malware into official app sources, Wandera notes.
“As always, we recommend that mobile-enabled businesses undergo some form of app security vetting to ensure apps, especially free apps, are trustworthy,” Wandera concludes.