While it’s true that Apple’s App Store has a more effective screening system than Google Play, the app store for Android phones, that doesn’t mean all of its offerings are safe to install on your iPhone. Just last week, a roster of 17 seemingly innocuous apps were shown to be malicious. Along with yoga poses and cricket scores, users also unwittingly got duped into a click fraud scheme.
Mobile security firm Wandera broke the news and explained how the apps worked. “The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction,” Wandera said in its post. “They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.”
If you’re not familiar with pay-per-click (PPC) advertising, here’s how it works. Say you’re a small business owner and want to advertise online. You place an ad with an ad network and specify your budget per day over a certain length of time. Each time your ad is clicked on a website, you pay a certain amount based on the value the network assigns to your target, and then the network and the website where your ad is running receive the proceeds. Fake clicks would result in you (the advertiser) paying more to run your ad.
Apple has subsequently removed these 17 offenders and said it is tightening its review policy to identify this type of problem. Apple also said that it does not classify clicker trojans as malware because ad fraud doesn’t directly disrupt your smartphone experience or steal data from it. Still, that’s not the kind of app you’d want on your phone.
The bad apps included Daily Fitness – Yoga Poses, Restaurant Finder – Find Food, CrickOne – Live Cricket Scores and FM Radio PRO – Internet Radio. For a complete list, visit https://www.wandera.com/mobile-security/ios-trojan-malware.
The first thing to do is make sure you have not downloaded any of these apps to your phone. If you did, delete them. Follow up with a thorough check of your bank statement to be sure that there are no unknown subscriptions that could be a result of a rogue app.
There is a lesson to be learned from this story. Contrary to popular opinion, malicious apps can make their way into the App Store despite the common assumption that all apps in Apple’s store are safe, much like people still believe Macs don’t get viruses. Yes, Apple’s vetting process is more rigorous than Google’s, but your full trust in the App Store is unwarranted.
Before you download an app to your phone, regardless of which store you are visiting, note the number of downloads and read the reviews with skepticism because rave reviews can be fake. Never download a new app because it won’t have the track record to reveal any problems. In testing the initial suspicious app, Wandera found no unusual activity until it added a SIM card to the test iPhone. After a couple of days, the app connected to remote servers and began its click fraud activity. The presence of a SIM card indicated that the phone belonged to a real person rather than an App Store tester or security researcher.
You should also do a Google search using the app’s name to uncover any issues not included in the store’s review section. Better yet, don’t download miscellaneous apps — stick with the ones from reputable developers that are used by thousands of people for more than a year. For instance, better choices for the obscure restaurant finder such as the fraudulent one mentioned above, are Yelp and your Maps app.
And if you’re thinking about antivirus software for your iPhone, stop. There are no true antivirus apps for iOS. That’s because iPhone apps perform in a “sandbox” that essentially blocks access to other apps and the operating system itself. The best way to protect your iPhone is to keep iOS up to date and restrict your apps to those proven to be safe.