Security researchers say they’ve found over a dozen iPhone apps covertly communicating with a host connected with Golduck, a historically Android-focused malware which infects popular classic game programs.
The malware was known about for more than a year, after it had been initially detected by Appthority infecting retro and classic games on Google Play, by embedding backdoor code which allowed malicious payloads to be quietly pushed into the device. At the moment, more than 10 million users have been influenced by the malware, enabling hackers to run malicious controls at the greatest privileges, like sending superior SMS messages from a victim’s phone to make money.
Now, the researchers state iPhone apps linked to the malware could also present a risk.
Wandera, an enterprise security firm, said it found 14 programs — all retro-style matches — which were communicating with the identical command and control server used from the Golduck malware.
“The [Golduck] domain name was on a watchlist we established due to its use in distributing a specific breed of malware previously,” explained Michael Covington, Wandera’s vice-president of product. “When we began viewing communicating between iOS devices and also the known malware domain, we investigated further.”
The apps include: Commando Metal: Vintage Contra, Super Pentron Experience: Super Hard, Classic Tank vs Super Bomber, Super Adventure of Maritron, Roy Adventure Troll Game, Trap Dungeons: Super Adventure, Bounce Classic Legend, Block Game, Classic Bomber: Super Legend, Brain It : Stickman Physics, Bomber Game: Classic Bomberman, Classic Brick — Retro Block, The Climber Brick, along with Chicken Shoot Galaxy Invaders.
According to the investigators , what they watched so far appears comparatively benign — the command and control server simply pushes a listing of icons in a pocket of ad space at the upper-right corner of this program. After the user opens the match, the server tells the app which icons and links it should function to the consumer. They did, however, see the apps sending IP address data — and, in some cases, place data — back into the Golduck command and control server. TechCrunch verified their claims, running the apps on a clean iPhone via a proxy, letting us see where the data goes. According to what we watched, the app tells the malicious Golduck server exactly what program, version, device type, and also the IP address of the device — including the number of advertisements were displayed on the telephone.
As of this moment, the investigators state that the apps are packed with advertisements — likely as a means to make a quick buck. But they expressed concern that the communication between the program and the known-to-be-malicious server may open up the app — and the apparatus — to malicious controls down the road.
“The programs themselves are technically not compromised; while they do not contain any malicious code, the backdoor they open introduces a risk for exposure our customers don’t wish to take.
“A hacker could easily use the secondary advertising room to show a link that redirects the consumer and dupes them into installing a provisioning profile or a new certification that finally allows for a more malicious program to be installed,” stated the researchers.
That could be said for any game or program, irrespective of device maker or applications. However, the connection to a famous malicious server isn’t a fantastic look. Covington said that the company has”found malicious content being shared by the host,” but it was not linked to the matches.
TechCrunch delivered the list of apps to data insights company Sensor Tower, which estimated that the 14 apps had been set up near one million times because they were published — excluding repeated installs or downloads across different devices.
The registrant on the Golduck domain name appears to be imitation, together with other domains connected with Golduck, which frequently have different names and email addresses.
Apple didn’t comment when reached before publication. The apps are appear to still be downloadable from the App Store, but all now say they’re”not now available in the U.S. store.”
Apple’s app stores could get a better rap than Google’s, which every once in a while lets malicious programs slip through the internet. In reality, neither shop is perfect. Earlier this year, security researchers discovered that a top-tier app in the Mac App Store that was collecting users’ browsing history without consent, and heaps of iPhone apps that were sending user location information to advertisers without explicitly asking first.
For the normal user, malicious programs remain the largest and most common threat to cellular users even with locked down device software as well as the extensive vetting of apps.
If there’s 1 lesson, today and always: do not download what you don’t desire, or can’t anticipate.