Rogue iOS Apps Sent Data to Malicious Server

Researchers have come across several games in the iOS app store that sent information to and communicated with a known malicious server.

Finding malware in the iOS app store is rare because Apple has a highly stringent policy for app store admission and performs manual app reviews. Even so, it seems that one developer managed to find a way to bypass those defenses.

Researchers from mobile security firm Wandera found 14 iOS apps that functioned as retro games, but which were also injecting ads from a server associated with the Golduck Android malware.

Golduck was discovered in 2017 by researchers from Appthority inside classic game apps on the Android platform. The rogue apps contained a mechanism to download and install a second-stage payload from a remote server and set up the stage for adware attacks—displaying rogue ads to users.

The Wandera researchers observed similar behavior in the iOS apps they discovered, which have since been removed by Apple from the app store.

“Our security researchers discovered a secondary area being used to display ads that are not powered by Admob and instead, present content from a known malicious server,” Wandera said in a blog post. “Other than controlling the ad space, the C&C [command-and-control] communication is gathering information from the device such as its current IP address and associated location information.”

If the user clicks on one of the rogue ads, they are shown a list of additional retro games from the same developer that they can install. This ensures that the phone has multiple applications that can display the ads the attacker wants. In addition, this mechanism could be used as a backdoor.

“A hacker could easily use the secondary advertisement space to display a link that redirects the user and dupes them into installing a provisioning profile or a new certificate that ultimately allows for a more malicious app to be installed,” the researchers said.

Phishing Scheme Abuses Web Fonts to Evade Detection

Attackers have found a way to make their phishing pages more difficult to detect by using web fonts to obfuscate their malicious code.

Code obfuscation on phishing pages is usually implemented in JavaScript, which is a red flag for automated systems. However, researchers from Proofpoint found a phishing kit where the encoding was done via Cascading Style Sheets (CSS) code, particularly with custom web fonts.

“This phishing landing then is utilizing a custom web font file to make the browser render the ciphertext as plaintext,” the researchers said in a blog post. “As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters ‘abcdefghi…’ with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page.”

This means that users will see the intended phishing text because their browser will use the custom web font. However, when analyzing the source code, automated scanners will only see jumbled data.

The attackers are also rendering the images on the page—the brand elements of a major U.S. bank—in scalable vector graphics (SVG), so the logos themselves don’t appear in the source code. Other phishing kits load the actual logos from the impersonated websites, which can be detected.

“Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors, and even from savvy organizations proactively searching for brand abuse,” the researchers said. “While the substitution cipher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin