Malware In China, Part 2: iOS Users Are Vulnerable, Too

Apple malware

Before Spring Festival, we warned Beijing Cream readers about some of the dangers of using Android, how a specific type of malware works, and what users can do to protect themselves. As mentioned in that post, it’s not just Android users who should beware, but also those using the iOS platform in its many physical expressions, especially those with jailbroken devices.

iOS can, too

Because of the open nature of the Android platform, users can easily and unknowingly download applications repackaged to carry various kinds of malware. With Apple’s mobile operating system, and the amount of control built into the OS, applications, and hardware itself, the chance of downloading malware capable of hijacking your connection or retrieving personal information is quite slim. However, that doesn’t mean it can’t happen.

According to Apple (PDF), they don’t need any built-in or third party antivirus software, as the complete ecosystem is built around control. Even if malware passed the vetting process, including certificates only given to verified developers, to get onto the App Store, they are then “sandboxed” so that they don’t have access to any other parts of the system. That being said, that doesn’t mean that malware is not created for iOS, nor is it impossible for applications to carry malware through the App Store and onto your device.

F-Secure Q4 2012 Mobile Threat Report (PDF) shows that Android accounts for 79% of all mobile malware, whereas iOS accounts for only 0.7%. Yes, a small number, but as Philip Elmer-Dewitt points out, 2012 was is the first year that any threats on iOS were discovered by F-Secure.

Tony DeLaGrange, from Secure Ideas, says that there have already been apps approved by Apple that had hidden and undocumented functionality. Luckily, they weren’t carrying malicious code:

For instance, the iRandomizer Numbers and Handy Light apps had a hidden undocumented feature that provided free tethering. I wouldn’t categorize this a malware, but the point is that if someone is able to hide functionality within an app and get through Apple’s review process, then a malicious app getting through this process could potentially reach a large volume of devices before being identified and removed, especially if the malware delays its malicious actions to allow time for further distribution.

He adds that it would difficult to pull off, as the app would need to be quite popular and regularly used, but the payoff would be that much more rewarding.

Jailbroken Nation

As with Macs, there is a veneer of security for iOS, as just not much malware is created for the platform. However, as we mentioned above and as Kaspersky Lab CEO Eugene Kaspersky believes, this has more to do with other platforms being more easily targeted than the inherent security of iOS.

When users jailbreak their device, they also disable some key security measures. As Tony DeLaGrange puts it, this can be dangerous, as more and more of our lives are stored on our mobile devices, including credit card information, passwords, and social security numbers (emphasis mine):

Jailbreaking an iOS device basically disables code signing, which disables Apple’s Data Execution Prevention (DEP) control. Once DEP is disabled, pretty much any code can be executed on the jailbroken device. Consequently, jailbroken iOS apps are not sandboxed, which permits easier access to any data on the device, as well as device features. Removing these controls opens up the iOS device to malware infestation and potential compromise of their information.

While the number of jailbroken devices in China seems to be going down, it already presents itself as a target-rich environment. On top of that, it is amazingly easy to find jailbreak solutions online and offline, with stores actually advertising jailbreaking services. Easy things tend to attract people without the knowhow or savvy, thus making for easier targets as the Ike virus from 2011 shows.

Ike.A relied on the fact that many who jailbreak really don’t understand how their device works and used the default iOS credentials and SSH to infect the jailbroken iPhone and (harmlessly) Rick-Roll the user by changing the background to Rick Astley. According to DeLaGrange, Ike.B, however, was not as friendly. Using the same vulnerabilities, it created command and control that made the iPhone part of a botnet that was suspected of engaging in phishing of ING user login credentials.

Sometimes the Rules Feel Good

While there are certain advantages to jailbreaking, the downsides can be quite severe. And, to be honest, the non-practical advantages of jailbreaking only really count if you want to tweak the system and know what you’re doing

I came round to not jailbreaking my device after I found that I couldn’t (a long story). At first, I was very wary of actually purchasing applications, especially games. But after that first purchase, I have to admit that it feels good to know that I’m helping to support developers who make interesting content. Also, I now no longer have to worry about strange ways around Apple controls when upgrading: every single application on my iPad will follow me version after version with no work on my part.

I’m never going to stop being a cheap person (well, usually), so that’s why I have apps like TouchArcade and AppsGoneFree that alert me to great games and applications that have either become free or have been reduced in price.

My advice to all of our readers: Don’t jailbreak; it’ll only put you at more risk. Even if you’re not jailbroken, still be careful about what you’re putting on your device, put a password on the lock screen, and make sure “Find my iDevice” is turned on.

And never, never, never leave your device (whatever platform, make, or model) on the table at Starbucks while you go to the bathroom. It probably won’t be there when you come back.

John Artman has been China watching and covering tech since 2010. Follow him @KnowsNothing.

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


− 3 = five