Security researchers recently found 17 apps on the Apple App Store that were infected with the Clicker Trojan module that continuously opened web pages and clicked links without user interaction to generate fake web traffic and raise ad revenue.
Discovered by researchers at Wandera, the 17 infected apps on the Apple App Store were part of 35 free apps published by a single developer using the profile “My Train Info”. The developer had published a total of 51 apps on the App Store, and the 17 infected apps communicated with a remote C&C server that has also been found to be part of a similar clicker trojan campaign on Android.
The researchers explained that Clicker Trojan is a malware type that “performs ad-fraud by making frequent connections to ad networks or websites in order to artificially inflate visitor counts or to generate revenue on a pay-per-click basis”. Apps infected by this malware fraudulently subscribe users to expensive content services and silently load websites to generate fake traffic.
“Command & Control enables bad apps to bypass security checks because it activates a communication channel directly with the attacker that is not within Apple’s view. C&C channels can be used to distribute ads (like the ones used by the iOS Clicker Trojan), commands, and even payloads (such as a corrupt image file, a document or more).
“Simply put, C&C infrastructure is a ‘backdoor’ into the app which can lead to exploitation if and when a vulnerability is discovered or when the attacker chooses to activate additional code that may be hidden in the original app,” the researchers added.
How can organisations protect their devices & data from Clicker Trojan infection?
All the infected apps were taken down by Apple after they were flagged by Wandera. The researchers recommend that mobile-enabled businesses should undergo app security vetting to ensure apps, especially free apps, are trustworthy, have good reviews and legitimate developer profiles, and don’t request unnecessary or high-risk app permissions.
At the same time, organisations should install mobile security solutions in BYOD and corporate-liable devices that can block C&C traffic and any outside connections bad apps try to make. This way, even if a bad app gets installed in a company-owned device, its functionality will be severely limited and sensitive data will remain secure.
Commenting on the discovery of over a dozen infected apps on the Apple App Store, Sam Bakken, Senior Product Marketing Manager at OneSpan, said that these mobile trojans laid dormant for days on a device so that Apple would not likely detect this malicious behavior.
“There’s really no telling how secure users’ devices are or whether they’re infected with malware. We can’t depend on Google or Apple to ensure the security of the environments within which apps run. Additional action must be taken.
“For example, using mobile in-app protection and app shielding provide an extra layer of protection beyond that provided by the platforms (Android or iOS) or the app stores. App shielding monitors the app, regardless or where it’s installed to ensure its execution environment is safe and secure to shut down any malicious behavior before it’s too late,” he added.