Pierluigi Paganini October 27, 2019

Wandera researchers discovered seventeen iOS applications infected with clicker Trojan into the official Apple App Store.

Experts at Wandera discovered seventeen iOS applications infected with clicker Trojan into the official Apple App Store. The mobile apps were instructed by the C&C to simulate user interactions, allowing crooks to fraudulently collect ad revenue.

“The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.” reads a blog post published by Wandera.

“The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.”

The tainted applications were published in the App Store in various categories, in various countries by the same developer, the India-based AppAspect Technologies Pvt. Ltd.

The same developer has published 51 applications in the App Store, 35 of which could be downloaded for free.

AppAspect Technologies has also 28 applications published in Google Play, but they don’t connect to the same C&C server.

Below the list of infected apps:

• RTO Vehicle Information
• EMI Calculator & Loan Planner
• File Manager – Documents
• Smart GPS Speedometer
• CrickOne – Live Cricket Scores
• Daily Fitness – Yoga Poses
• FM Radio – Internet Radio
• My Train Info – IRCTC & PNR (not listed under developer profile)
• Around Me Place Finder
• Easy Contacts Backup Manager 
• Ramadan Times 2019
• Restaurant Finder – Find Food
• BMI Calculator – BMR Calc
• Dual Accounts
• Video Editor – Mute Video
• Islamic World – Qibla
• Smart Video Compressor

Experts noticed that the seventeen iOS applications infected with clicker Trojan were all connecting to a C&C server that was first reported by Dr. Web as part of an investigation on another clicker trojan campaign targeting Android devices.

At the time of writing, experts at Wandera were not able to crack encrypted communications made by the apps with the C&C server. 

“Command & Control enables bad apps to bypass security checks because it activates a communication channel directly with the attacker that is not within Apple’s view. C&C channels can be used to distribute ads (like the ones used by the iOS Clicker Trojan), commands, and even payloads (such as a corrupt image file, a document or more).” states Wandera. “Simply put, C&C infrastructure is a ‘backdoor’ into the app which can lead to exploitation if and when a vulnerability is discovered or when the attacker chooses to activate additional code that may be hidden in the original app.”

The experts noticed the developer had also some infected Android apps published to Google Play that were already removed. Later the developer has published them again removing the malicious code inside.

“Techniques like those used in this example also point to more instances of malware being introduced into official app sources, making it more accessible to everyday consumers and mobile workers alike.” Wandera concludes.

“As always, we recommend that mobile-enabled businesses undergo some form of app security vetting to ensure apps, especially free apps, are trustworthy,”

Pierluigi Paganini

(SecurityAffairs – clicker Trojan, iOS apps)

[adrotate banner=”5″]

[adrotate banner=”13″]