back to article New iOS malware targets stock iPhones, spreads via App Store

Miscreants have forged a strain of iOS malware which poses a greater risk than previous nasties because it can infect non-jailbroken devices without the user’s confirmation. AceDeceiver is fundamentally different from recent iOS malware because it relies in exploiting flaws in Apple’s DRM software rather than abusing …

  1. pmartin66

    So, if you don't use your PC to get apps (I never do this, I buy apps from the App store on my iOS devices) can this still happen?

    1. DougS Silver badge

      It requires your PC be infected with malware first (delivered in a PC application called Aisi Helper) then plug your iOS device into that PC. It also (at least this malware) only does this if you are located in mainland China.

      1. Anonymous Coward
        Anonymous Coward

        It also (at least this malware) only does this if you are located in mainland China

        .. or (really soon) if you're under investigation by the Feds..

        1. DougS Silver badge

          What good would it do the Feds to install an app on your phone? Unless you run it, it won't do anything. And even if you do run it, it can only do what its permissions allow so it isn't like it can copy all your info to the Feds, or send them your phone's password (unless it asks for it, and you are dumb enough to provide it)

          If they wanted to go through the back door they'd have something like Stuxnet that would probably hack the baseband OS to bug your phone (I wouldn't be shocked if they already have this, at least for popular basebands like Qualcomm's)

          They don't want to go through the back door, they are trying to set a precedent that lets them walk through the front door, with everyone watching, and leave us unable to do anything about it.

    2. Old Handle

      I think you're safe now that Apple has pulled the apps (and presumably will be on the lookout for this particular trick again) but when they were initially available in the app store you could install them directly from there and be infected.

      1. DougS Silver badge

        You misunderstand what is going on. There is no 'infection' from the apps themselves, all they do is present an alternate app store, and ask you for your Apple ID / password - and they only do those things if run from mainland China. If run from the US or Europe they do what they say they're going to do: give you a screensaver.

        Where malware comes in is that they found a way to have a PC program silently install one of these apps onto a connected phone without permission or prompting, via a MITM attack. There's a specific program that you have to install on your PC for this happen, which of course doesn't tell you it is going to do this. Any iOS device you plug into that PC will get one of these apps installed. Obviously silently installing an app is a problem Apple needs to fix, but it isn't like the app it installs can do anything special like p0wn your phone, it has to live under all the normal app restrictions. If you never run the app, nothing happens, if you do run the app nothing happens unless it successfully tricks you into supplying information yourself, like your Apple ID / password (and then only if you run it from mainland China)

        Presumably the reason for only operating in China is 1) it is trying to push people to use an alternate app store based in China that would not be of interest to people outside of China and 2) this may be why the App Store review process didn't catch them - the apps were submitted to the US store, but only exhibited their 'bad' behavior when run from China. Assuming Apple's reviewers who review apps submitted in the US don't test them from China, they will only see the normal functionality they are claimed to have.

  2. Mr.Bill

    attack vector

    the whole post here is about how the malware gets on the phone - with no description of what it would do when on a phone, only stated here as "malicious behaviors". Fine, this is exactly what we should care about - the attack vector.

    With android, the attack vector is, 99.999% of the time (the only other time in memory- stagefright) - jump through hoops and ignore warnings to install an apk file downloaded from a russian darkweb porn site or something. But those posts are used obviously for clickbait, glossing that over and going into an in depth account of just what it would do to the victim is always explained in gory detail. Completely irrelevant waste of page space, really.

    So, leaving out the description of the maliciousness, the equivalent story here for android would much less exciting - a sentence or two basically "when the user installs the apk from the porn site, malicious behaviors occur".

    1. Lee D Silver badge

      Re: attack vector

      I think the main news is this:

      This competently highlights what a waste of time the code review process is (and how it has nothing to do with security, only competition with Apple products, etc.) and how reliance on someone "spotting malicious behaviour" in app code is still the primary - and most useless - method of securing software.

      This really demonstrates quite how useless things like Antivirus, etc. are. Even when they GO LOOKING for malware, on a limited number of apps, submitted over the course of months, their review process is totally unable to determine if an app is, or could be under certain circumstances, malicious.

      It kind of knocks all of the "you cannot bundle a scripting language", etc. junk that Apple enforce under the guise of security into the waste-of-time bin.

      Maybe if they had a permission model, like Android, it might be a bit better - but then as a user you're still able to install stuff that "can access your files" and "can go on the Internet" and not realise that means they could send out every byte of data you have stored on your device.

      The solution here is not "let's check apps to see if they are dodgy", it's to lock down permissions to fine-grained and complete control. People who press OK will still press OK, but at least then people "in the know" will only "grant the app HTTPS access to domain.com, and r/w access to the virtual folder Data which is actually limited only to files specifically shared with the app by user-initiated file-association." Which helps immensely when working out quite what an app can or can't do, whether it can be blocked easily, and quite why those permissions are listed.

      I'm still waiting for Android "list of permissions" to allow two options for every possible permission. "Allow" and "Emulate". When Emulate is selected for a permission, it pretends the app can do that (e.g. even hiding files the app wants "Deleted" from its view), but just ignores the actual request otherwise (i.e. doesn't actually delete anything). In this way, apps can't know whether or not their actions succeeded or were even monitored, and users can say "Free GPS app wants to send texts? Er... No." and carry on using the rest of the functionality as expected.

      1. DougS Silver badge

        Re: attack vector

        So if code review doesn't catch everything it shouldn't be attempted? I guess since Google's automated malware scanning of apps submitted to the Play Store likewise doesn't catch everything they should drop that too? We should all delete our AV software on PCs because it doesn't catch everything? We shouldn't have airbags and seat belts in our cars because they don't save your life in every crash?

        1. AlbertH

          Re: attack vector

          Has your "anti-virus" ever done anything useful? The answer is certainly "No" - AV products don't and can't work. This is the dreadful truth that the AV industry tries to hide from the suckers who buy their rubbish.

          It takes minutes to write a piece of malicious code. It can be unique and can have an unusual method of promulgation. There is NO AV product that has ever been made that can prevent an infection from a "new" piece of malware. It's only possible that it can be detected once it has become widespread - the AV Vendors still rely on "signatures" - their "heuristics" are complete nonsense.

          The number of compromised Windoze machines is truly staggering. The prevalence of DDOS attacks shows a small part of those legions. Now it's possible (relatively easily) to abuse Apple phones....

          The only real protection is a properly hardened OS with a rigorous permissions structure and education - the biggest common vulnerability is the stupid, wilfully ignorant user......

        2. BlackDuke07
          Unhappy

          Re: attack vector

          Damn you beat me to it.

          My analogy was going to be; if a terrorist attack occurs should we completely disband the Security Service.

      2. D@v3

        Re: Lee D

        "Maybe if they had a permission model, like Android, it might be a bit better"

        Now, i'm not an Android user, but i thought one of the big complaints was that when you install something it says, "these are the permissions it wants" and you either have to like it or lump it. I have got the impression that this has been improved in the (much) newer versions, but we all know what Android updates are like, right?

        I am however an iOS user, and I know that when I install an app, while it doesn't tell me about any permissions when I install, it asks before it does anything in use.

        For example, want to use a memo recorder? On first use, it will say 'give app access to microphone', and you can choose not to.

        A better example would be the facebook app. When it installs, it lets you log in and use it, it's not untill you try to up load a photo that it says, "give app access to photo's" at which point you can say, err, no actually, keep blocking. At some point it might ask for access to your contacts, again, no dice, and, should you choose to give any app access to any part of the phone, you can go back in and switch it off later, so... Facebook, yes, allow access to camera, take picture, upload, turn off access to camera....

        So, while you might not get the information up front when you install the app, it's because (in my experience) apps install with (almost) no permissions, and they are applied as and when they are requested.

  3. DougS Silver badge

    Apple dropped the ball

    Apparently this hole has been known about since 2013, and a paper was published about it in 2014 USENIX but since it was only used to spread pirated apps in jailbroken phones I guess Apple didn't care about it too much.

    Just goes to show that even if a hole looks innocuous it should still be fixed. That's the same attitude people used to have about buffer overflows back in the day - "all they can do is cause a crash, big deal". Until RTM demonstrated otherwise.

  4. Joerg

    FBI,NSA,CIA Obama are behind this!

    It is just plain obvious. All of a sudden keys get approved inside Apple for malware and viruses. Who is approving those keys? Clearly spies working for either competitors or anyone that would want to attack Apple.

    And right now Barack Hussein Obama with FBI, CIA and NSA want to destroy Apple.

  5. Walter Bishop Silver badge
    Linux

    New iOS malware spreads via Windows!

    "AceDeceiver is fundamentally different from recent iOS malware because it relies in exploiting flaws in Apple’s DRM software"

    AceDeceiver also required a previously compromised Windows computer in order to sucessfully deliver the payload.

    a) A Microsoft windows PC has first to be infected with the AceDeceiver malware.

    b) AceDeceiver is sneeked onto the official App Store.

    c) Hackers buys AceDeceiver from the App Store and receive authorization code.

    d) The Windows malware executes a purchase and downloads the authorization code from the App Store.

    e) The Windows malware poses as iTunes provides the false authorization code and installs the malware onto the iOS device.

    f) The iOS device is now compromised.

    1. DougS Silver badge

      Re: New iOS malware spreads via Windows!

      The iOS device isn't even compromised. It just has an app on it that you didn't install yourself. If you don't run the app, nothing happens. If you do run the app it presents an alternate app store and tries to trick you into giving up your Apple ID & password. Unless you give up that password, or buy some apps from it, it doesn't hurt you in any way.

      There are a lot of Android users who willingly configure their phone to use alternate app stores, and a lot of iPhone users would do this too if iOS allowed it. The only "compromising" being done is of Apple's rule against alternate app stores.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019