Wandera Specialists revealed the Apple App Store has 17 applications that contain malicious code and simulate user interactions with advertisements. 17 infected applications were published on the App Store in various categories, from system utilities to travel:
All applications were created by Indian developer AppAspect Technologies Pvt. Ltd and engaged in advertising fraud: they clicked on links and constantly opened windows with ads in the background, of course, all this happened without the knowledge of users. Although adware was almost invisible to victims, Wandera analysts note that the operation of such applications could slow down devices and lead to a faster discharge of the battery.
In total, this developer has 51 applications in the App Store, 35 of which are free. All 17 infected applications from among the free ones contacted the same management server using strong encryption, which the researchers were unable to crack. Obviously, this management server contains a payload that is associated with a click fraud. Experts suggest that the developer placed the malicious code in an external source to bypass the App Store security mechanisms.
Experts have noticed that this campaign is very similar to the campaign discovered by Doctor Web in August this year. Let me remind you that Doctor Web experts detected a clicker trojan on Google Play that worked with 34 applications and was used in the same way to increase website visits and monetize online traffic. The fact is that the same management server was involved in this campaign as in the incident noticed by Wandera analysts.
AppAspect Technologies has a developer profile in Google play store and 28 published applications currently. Wandera experts examined these applications and concluded that they did not contact a suspicious command server. However, additional research revealed that AppAspect Technologies Android apps were once infected as well, which led to their removal from the directory. Since then, they have been reprinted and now do not contain malicious functions. In this regard, Wandera experts note that it was not the developer himself who could add the malicious code to the applications, but this could be an attack on the supply chain.
Currently, Apple has removed all compromised applications from the App Store, except for two: My Train Info – IRCTC & PNR and Easy Contacts Backup Manager. Researchers continue to monitor the development of the situation.