Wandera experts identified in the Apple App Store 17 applications that contained malicious code and simulated user interaction with advertisements, i.e. Clickfraud traders.
All applications were created by Indian developer from AppAspect Technologies Pvt. Ltd and engaged in advertising fraud: they clicked on links and constantly opened windows with ads in the background, of course, all this happened without awareness of users.17 infected applications were published on the App Store in various categories, from system utilities to travel:
- RTO Vehicle Information
- EMI Calculator & Loan Planner
- File Manager – Documents
- Smart GPS Speedometer
- CrickOne – Live Cricket Scores
- Daily Fitness – Yoga Poses
- FM Radio – Internet Radio
- My Train Info – IRCTC & PNR
- Around Me Place Finder
- Easy Contacts Backup Manager
- Ramadan Times 2019
- Restaurant Finder – Find Food
- BMI Calculator – BMR Calc
- Dual Accounts
- Video Editor – Mute Video
- Islamic World – Qibla
- Smart Video Compressor
Although adware was almost invisible to victims, Wandera analysts note that the operation of such applications could slow down devices and lead to a faster discharge of the battery.
In total, this developer has 51 applications in the App Store, 35 of which are free. All 17 infected applications among the free ones contacted the same management server using strong encryption, which the researchers were unable to crack. Obviously, this management server contains a payload that is associated with a click fraud.
Experts suggest that the developer placed the malicious code in an external source to bypass the App Store security mechanisms.
“This campaign is very similar to the campaign discovered in August this year. Specialists revealed on Google Play a clicker trojan that worked as part of 34 applications and was used in the same way to increase website visits and monetize online traffic. The fact is that the same management server was involved in this campaign as in this incident”, – said Wandera analysts.
AppAspect Technologies has a developer profile on the Google Play Store and 28 currently published apps. Wandera experts examined these applications and concluded that they did not contact a suspicious command server.
However, additional research revealed that AppAspect Technologies Android apps were once infected as well, which led to their removal from the directory. Since then, they have been reprinted and now do not contain malicious functions. In this regard, Wandera experts note tha the developer himself could not add the malicious code to the applications, but this could be an attack on the supply chain.
Read also: Apple Developers Found Third-Party Keyboard Vulnerability in iOS
Currently, Apple has removed all compromised applications from the App Store, except for two: My Train Info – IRCTC&PNR and Easy Contacts Backup Manager. Researchers continue to monitor the development of the situation.
