قالب وردپرس درنا توس
Home / Technology / Security researchers find over a dozen iPhone apps related to Golduck malware – TechCrunch

Security researchers find over a dozen iPhone apps related to Golduck malware – TechCrunch



Security researchers say they have found more than a dozen iPhone apps that conceally communicate with a Golduck server, a historically Android-focused malware that infects popular classic gaming apps.

Malware has been known for over a year after it was first discovered by Appthority, which infected classic and retro games on Google Play, by entering backdoor code that allowed harmful payloads to be pushed to the device. At that time, over 10 million users were hit by malicious software, allowing hackers to run malicious commands at the highest privileges, such as sending premium SMS messages from a victim's phone to make money.

Now, researchers say iPhone apps related to malware can also pose a risk.

Wandera, a business security firm, said it found 1

4 apps – all retro-style games – that communicate with the same command and control server used by Golduck malware.

"The domain [Golduck] was on a monitoring list we established due to its use in the distribution of a specific load of Android malware lately," said Michael Covington, Wandera's vice president of the product. "When we started seeing communication between iOS devices and the known malware domain, we investigated further."

The apps include: Commando Metal: Classic Contra, Super Pentron Adventure: Super Hard, Classic Tank vs Super Bomber, Super Adventure of Maritron, Roy Adventure Troll, Trap Dungeons: Super Adventure, Bounce Classic Legend, Block Game, Classic Bomber: Super Legend, Brain It On: Stickman Physics, Bomber Game: Classic Bomberman, Classic Brick – Retro Block, Climber Brick, and Chicken Shoot Galaxy Invaders.

According to the researchers, it seems that the so-so, relatively favorable – command and control server just pushes a list of icons in a pocket with ad space in the upper right corner of the app. When the user opens the game, the server tells the app which icons and links it should serve to the user. However, they saw that the apps returned IP address data – and in some cases, location data – back to the Golduck command and control server. TechCrunch confirmed their requirements, running the apps on a clean iPhone via a proxy, so we can see where the data goes. Based on what we saw, the app tells the malicious Golduck server which app, version, device type, and device's IP address – including how many ads were shown on the phone.

As now, the researchers say the apps are packed with ads – probably as a way of making money. But they expressed concern that the communication between the app and the known-to-be malicious server could open the app – and the device – to malicious commands down the line.

"The apps themselves are not technically compromised; while they do not contain any malicious code, it opens the back door they open to an exposure risk that our customers do not want to take.

" An attacker could easily use secondary advertising space to show a The link that redirects the user and dupes them to install a commission profile or certificate that ultimately allows a more malicious app to be installed, the researchers said.

One of the iPhone apps, "Classic Bomber", was discovered to communicate with a malicious command and control server. It has since been withdrawn from the American store. (Screenshot: TechCrunch)

It can be said for any game or app, regardless of device machine or software. But the connection to a known malicious server is not a good look. Covington said the company has "observed harmful content shared by the server" but that it was not related to the games.

The implication is that if the user sends malicious payloads to Android users, iPhone users may be next.

TechCrunch sent the list of apps for data insight fixed sensor tower, which estimates that the 14 apps had been installed close to a million times since they were released – except for repeated downloads or installations across different devices.

When we tried to contact app makers, many of the App Store links pointed to dead links or to privacy policy pages, but no contact information. The Golduck domain registrant appears to be false, along with other Golduck domains, which often have different names and email addresses.

Apple did not comment when they were reached before publishing. The apps still seem to be downloadable from the App Store, but everyone now says they're not available in the US store.

Apple's app stores can have a better rap than Google's, which every time lets malicious apps slip through the web. In reality, neither shop is perfect. Earlier this year, security researchers found a top-tier app in the Mac App Store that unlocks the user's browsing history and dozens of iPhone apps that sent user location data to advertisers without explicitly asking first.

For average users, malicious apps are the biggest and most common threat to mobile users – even with locked down software and extensive app delays.

If there is a lesson, now and then: don't download what you don't need or can't trust.


Source link