Feeds

back to article Windows worm slips into iOS App Store, climbs into hipsters' pockets

An item of Windows malware has managed to make its way onto Apple's iOS App Store. It's likely to have been an accidental screw-up, but it nonetheless raises concerns about Apple's app-screening process. The malicious Windows executable was found by a user who downloaded an app called "Instaquotes-Quotes Cards For Instagram" …

COMMENTS

This topic is closed for new posts.
Silver badge
Thumb Down

"The tainted app can't infect a Mac OS X machine either."

Apart from those running Bootcamp.

0
0
Anonymous Coward

Re: "The tainted app can't infect a Mac OS X machine either."

The windows application would be in the Mac OS X partition though so WIndows wouldn't even see it.

1
0
Silver badge

Re: "The tainted app can't infect a Mac OS X machine either."

Oh but there is support for reading the HFS partition when running Windows under Bootcamp...

0
0
Anonymous Coward

Re: "The tainted app can't infect a Mac OS X machine either."

So you mount the HFS partition see a windows executable on there and think "I'll run that. What's the worst that could happen"!

0
0
Silver badge
Stop

I'm sorry

The worm wouldn't run on a iPhone, a PC or a Mac. It was just a lump of binary data that had (we presume accidentally) got included in the package. The only way that anything would even notice it is an AV package looking for signatures.

How is this a problem for Apple again?

4
10
Bronze badge

Re: I'm sorry

Given that it's an instagram app could it have inserted that code into an image which would then be viewed on a Windows PC? That has been used as a method of infection before.

0
3

Re: I'm sorry

Because it show's they are (arguably) not being careful enough when checking Apps. This particular instance may have been an old piece of Windows malware that can't harm Apple's kit, but that doesn't make it OK. As the article notes, this particular nasty is detected by everything, indicating that Apple aren't bothering to scan for known malware.

Given that the walled garden has been pushed as providing greater security, it's kind of embarrassing to have something so easily caught slip through the net.

Of course, a realist would expect that something will always slip through, but you'd normally expect it to be something a bit harder to detect than a well-known (by the AV) piece of VB-Script.

So, it's not an issue for Apple users, but it's a minor embarrassment for Apple.

Answer your question?

8
1
Silver badge

Re: I'm sorry

No, the question wasn't answered. Unless you can provide some proof that the app was exporting the worm in a way that could actually cause infection then it doesn't matter if it was VBA or sanscrit, it was unused data.

2
6
TRT
Silver badge

Re: I'm sorry

Unused data which has no place in an app for iOS.

5
0

Re: I'm sorry

@Steve

You're right, in this particular instance it was unused data. It shouldn't have been there though, and could easily have been detected by Apple. We're not talking about some advanced polymorphic malware, we're talking about a run-of-the-mill VB file.

Now ask yourself, if Apple couldn't catch something so obvious, what else is slipping through the net?

If you or I were checking that App, would you question the existence of VB in an iOS app? I would. Granted Apple aren't getting eyes on all apps, but that just means their automated systems need to be more effective. In this case they've missed something, luckily for them there doesn't seem to be an easy infection vector, but it shows that things are being missed (which really, shouldn't be that big a surprise, it happens) and the ease with which this should have been detected just adds to the embarrassment.

The next slip-up may well have a plausible infection vector, so if nothing else this should prompt Apple to review their security checks as simple good practice. On the face of it, they got lucky, and any responsible company would review procedures to ensure appropriate risk mitigation is in place. Whether they bother or not remains to be seen, but the greater the percentage of their customers claiming there's no issue, the less likely they are (or may be) to do so.

Better?

4
0
Silver badge
Linux

Re: I'm sorry

The fact that this unwanted code managed to slip into the App Store shows that Apple's walled garden has cracks and isn't the perfect security model it's quoted as being.

3
0
Silver badge

Re: I'm sorry

Why should they? They are only interested in finding malware that runs under iOS. If an app writer wants to distribute Windows malware then simple encryption of the package data will block any virus scanner. They may well scan any mails generated by the software, but how else do you expect a desktop OS to get anywhere near executing a mobile app?

1
4
Bronze badge
Thumb Up

>isn't the perfect security model it's quoted as being.

Guilty as charged.

From a user perspective however, this is a nifty wakeup call for Apple. Forces them to pay more attention in their vetting process, at little actual risk to us in _this_ case.

Doesn't mean that they were competent however, as you've pointed out. Still, it's in their best interest to clean this up and it might get them to be more malware-paranoid.

full disclaimer: am a Mac user @ home. and I do run the Sophos AV on it.

0
0
Anonymous Coward

*bring back El Reg gravestone icon*

What is the point of Apple scanning for Windows worms inside iOS app packages? They're not going to run on iOS nor even on Windows unless users extract the app package contents as the article correctly points out.

This is supposed to "raise concerns about Apple's app-screening process"? Maybe they should scan for DEC VAX malware too while they are at in, some old Morris worm might be lurking around in there.

"Find and Call" didn't send any SMS by itself, they were sent from the developer's servers. Several genuine apps use and transmit contact information and in fact "Find and Call" - as the name implies - had a genuine reason to do so.

Short of banning developers as they already do, I can't see what Apple or anyone can do to stop developers from misusing the data the users volunteer to them.

3
8

Re: *bring back El Reg gravestone icon*

What is the point of Apple scanning for Windows worms inside iOS app packages? They're not going to run on iOS nor even on Windows unless users extract the app package contents as the article correctly points out.

This is supposed to "raise concerns about Apple's app-screening process"? Maybe they should scan for DEC VAX malware too while they are at in, some old Morris worm might be lurking around in there

How about they just scan for malware? Why worry about which platform it affects, you never actually know whether the presence will result in an actual infection vector. Scanning for VAX malware would be a little extreme, it's true, but it's far less extreme to scan for malware that affects the most used desktop OS on the planet.

I can't think of a way that the iPhone could infect a Windows machine, but I bet someone out there could given the right motivation. As the article notes, the responsible scan for malware which may affect any (within a reasonable level of likelihood) system. I.e. they'll scan for Windows malware as well as Mac and Linux.

Let's face it, it can't inconvenience Apple too much to have submitted apps be automatically extracted and scanned properly can it.

All that said, apart from some embarrassment for Apple, really this is a bit of a storm in a teacup. It's only really newsworthy because some rabidly mis-believe that no malware can enter the App store.

3
0
TRT
Silver badge

Re: *bring back El Reg gravestone icon*

If anything, having an iOS app pop up on a routine virus scan on a user's Windows PC that he/she syncs their iPhone/Pod with cannot be a good thing. This is why.

1
0
Holmes

Re: *bring back El Reg gravestone icon*

"How about they just scan for malware? Why worry about which platform it affects, you never actually know whether the presence will result in an actual infection vector. "

You cannot be serious about this. By now it's likely that ANY sufficiently large binary file will match some malware signature if you take all platforms and architectures.

What's next, Apple should scan iOS app submissions for Android malware too?

2
8
Anonymous Coward

Re: *bring back El Reg gravestone icon*

"What's next, Apple should scan iOS app submissions for Android malware too?"

LOL. Not even Google do that!

3
0

Re: *bring back El Reg gravestone icon*

You cannot be serious about this. By now it's likely that ANY sufficiently large binary file will match some malware signature if you take all platforms and architectures.

Bollocks.

Let's start with how they'd do the scan shall we? You don't scan the entire package, you extract it giving lot's of those nice little files contained within. You then scan those, accepting either a higher false-positive or higher false-negative rate (the former being more expensive as you have to review, the latter posing a greater risk to your customers).

As I said later in my post, even limiting it to common platforms would be a start. Scan for iOS, Windows and OSX nasties. Sure, if you really want, scan for Android nasties, but you know what? Unless the iOS app has some means of pushing the malware to an Android device, it's less of a worry. People plug their phones into machines running Windows or OS X. This incident may not have had a way to then push that onto the system, but it doesn't mean that there isn't a way to do so (I find myself tempted to observe especially on Windows).

There's a world of difference between scanning for platforms which could be infected and scanning for those that are highly unlikely to come into sufficient contact. Considering the relative safety the walled garden is supposed to provide, not performing a proper scan is one hell of a fuck-up.

The flipside, of course, is that Apple may actually be doing it properly. It's not impossible that this was an isolated cock-up rather than a failure across the system. We have no way to know, but you can't avoid the fact that a responsible company should be checking thoroughly for malware.

You'd be pretty pissed if a Linux based webserver infected your Windows machine and the admin said "Why would I scan for Windows malware? It doesn't affect me, want me to scan for VAX malware too?" wouldn't you? iPhones/iPad's have a reasonable likelihood of coming into contact with a Windows machine and so Apple should be scanning for Windows based malware.

13
0
Facepalm

Must be a slow news day. Tomorrow we'll have the same story about the Google Play store I guess. It's binary data occupying a portion of your hard disk. If you've got a virus scanner it'll pick it up, if you don't you wouldn't be any the wiser.

2
5
Anonymous Coward

Doogie1

"Tomorrow we'll have the same story about the Google Play store I guess."

Please remind me - which group of users, Apple or Android, amke a big deal out of the security of their applications?

0
0
Anonymous Coward

Re: Doogie1

the security of applications is not at stake here, that's why stories like this are so misleading.

1
1

Re: Doogie1

"Please remind me - which group of users, Apple or Android, amke a big deal out of the security of their applications?"

Well if they have half a brain, both of them surely. Not sure what you're point is but I'll answer your question anyway

1
0

All these questions

.....about how is it Apple's problem.

This is El Reg. If it says 'Apple' anywhere in the article then it's not only Apple's problem it's Apple's fault.

It's a cultural thing.

3
0
Silver badge
Trollface

Re: All these questions

What is the name of the Foxconn rebrander which curates all the apps sold in their App store so "it's always safe and secure"?

0
0
Anonymous Coward

OK, this particular app and virus aren't really going to cause any problems... but...

Suppose this. Malware writers now know that Apple don't scan for Windows malware, this opens up a new opportunity.

Forgive me if I am wrong, as I'm not a iOS user, but, suppose someone can bundle a piece of malware into an app, that sends emails out to your contacts (the app sends it, not the malware). On receiving said email, which plays on the age-old social engineering tricks, open this, it'll make you laugh sort of thing, anyone reading the -email on a Windows PC gets infected. Some users will be running without any AV, or out-of-date pre-intsalled McAfee crap, and will get caught.

Not saying this is technically possible. However, you can bet someone somewhere, after reading about this, will be trying. And it may not be Windows malware, get a Mac nasty in there, and off you go.

Lots of ifs, buts and maybes... doesn't mean it won't happen.

0
0

>Lots of ifs, buts and maybes... doesn't mean it won't happen.

True, but what's your point?

Five years without significant problems suggests that they are doing something right, what's happened here is that an attack vector that no-one thought about has been exposed, albeit accidentally.

Why did no-one think about it? Well, one obvious reason is that the iOS development tools are only available for Macs, so there's no reason for an iOS app to be anywhere near a Windows system at any time during it's development, so it is difficult to see how the payload ended up in the app.

So, what now? Well, you'd hope that they will now start running submitted apps through a commercial virus scanner to reduce the chances of this happening again, but I doubt the great unwashed masses will be told.

At some point in the future something like this will happen again when another unexpected vector is accidentally uncovered and then the comment pages will once more be flooded with armchair know-it-alls saying "They should have been doing X", but who will be unable to produce a single piece of evidence showing that they (or anyone else) thought of that *before* the breach.

Meanwhile, the general public will continue to buy whatever device hypnotises them with the shiny-shiny best, much to the continued annoyance of our fellow commentards. Mainly because they don't give two hoots.

0
0
Anonymous Coward

crapple

as i have pointed out else where,apple inc are the last gits in the world that would tell anyone if they did come across successful malware running inside garden,they will quite hapily let groups extract millions of dollars every year,they would even pay long term blackmail fees to a clever group,just what do you think would happen to crapple inc if they admitted to the public that someone had run successful malware for three years,without crapple knowing,their wonderful lah lah land "walled garden"(should be "walled orchard"realy) would be seen to be bullshit,enterprise would drop them like a hot rock and the precarious house of jobs would tumble to the ground.good riddance i would say,they are,by such a long way the biggest shit mongers in world at moment,if even yank gov is starting to worry about crapple inc behaviour enough to make public comments then it shows they are almost beyond any kind of sensible control.

i.e why is all crapple cash etc held off shore from usa.yes i know othets do it,but not to the extreme that crapple inc do,jobs was an ultra extremist,his firm are too,look at patent wars.

have always hated jobs,but with good reason,i am rabidly anti-semitic.

but that does not make me blind or stupid,they hate us,i loath them ,its mutual.

0
3

Re: crapple

Perhaps a lie down in a nice dark room would help?

1
0

This post has been deleted by its author

Silver badge

If I understand this correctly...

This is an iOS app, which contains within it an OS X package which can be installed on your Mac. Inside that OS X package is a Windows executable which can be installed on your PC, and that executable is infected. Apple probably never thought to scan through multiple levels like that. I highly doubt that previous to this news coming out that Google would have caught this either, since the typical case on Android software would be to have it install the Windows executable itself, not require you to install the OS X package first to access the Windows executable.

This was almost certainly not malicious on the part of the dev. If it had been, they would have not used such an old and relatively harmless bit of malware, and wouldn't have required such a crazy series of steps to even get the infection. Probably the only three people who ever would have got this would be Mac users infecting the Windows they run in a VM. If you have a Mac, you'll run the software on the Mac, so no problem. If you have a PC you probably just download the software directly over the Internet. It's only if you have a Mac and a PC, and want to for some reason install it on both, and somehow feel it is easier to copy the executable over from your Mac than just click on a link to download it. Hopefully the downloadable version wasn't also infected, but I wouldn't be surprised since it would make sense that the PC this dev builds it's golden images on is the source of the infection.

I'm sure Apple will scan for this in the future, and Google probably will also. But it doesn't mean much, as there are obvious routes (self extracting installer requiring user interaction, automated update on first run) to get infected executables past any Apple app store reviewer or Google Bouncer scanning. In the end it comes down to the end user detecting the infection. Anyone who could have been infected by this old thing probably isn't running AV software at all, and if you do that on Windows while installing software willy nilly you deserve your fate.

0
0

Not malicious?

"This was almost certainly not malicious on the part of the dev"

On the other hand, it's hard to see how it could have got into the application bundle. Did the developer think - "Oooh look - there's a .exe. Let's drag in into my project in XCode"?. Maybe he keeps all his source files in his 'Downloads' folder and uses some sort of scripting to do his builds - but that would be a bit nuts(!)

Hopefully there's not something more sinister going on - like some Mac malware that targets development systems.

0
0
Anonymous Coward

"...Users of Mac desktops ... often run anti-virus software for much the same reason that it's a useful addition on Linux file-servers and mail-servers: to clear out any Windows-based malware..."

Pffft! —I don't. If people will insist on using shitty Windows, let them clean up their own vomit.

0
3
FAIL

@madra

Not a good business attitude. People would not use your file/mail/web service if they continually got malware from it.

1
0
Bronze badge

Should I get infected

They are be distributors of malware.. and that is a crime.

0
0
This topic is closed for new posts.