PDA

View Full Version : Apple Pulls Russian SMS Spam App from App Store [Updated]




MacRumors
Jul 5, 2012, 12:38 PM
http://images.macrumors.com/im/macrumorsthreadlogo.gif (http://www.macrumors.com/2012/07/05/apple-pulls-russian-sms-spam-app-from-app-store/)


Earlier today, Russian security firm Kaspersky Lab reported (http://www.securelist.com/en/blog/208193641/Find_and_Call_Leak_and_Spam) that it had been alerted to an app available in both Apple's App Store and the Google Play store for Android that was quietly harvesting users' address book contacts and sending them to the developer's servers. The developer's systems were then sending text messages to those contacts advertising the application, with the "From" field being spoofed with the original user's mobile phone number.

http://images.macrumors.com/article-new/2012/07/find_and_call.jpg


The application, Find and Call, ended up primarily targeting Russian users due to its use of the Russian language in the app description, but the app was available in App Stores around the world. The report notes that while there have been previous incidents of personal information being transmitted inappropriately from App Store apps, this appears to be the first time that such information has been used in a malicious manner.Malware in the Google Play is nothing new but it's the first case that we've seen malware in the Apple App Store. It is worth mentioning that there have not been any incidents of malware inside the iOS Apple App Store since its launch 5 years ago. But the main issue here is user's privacy again. It's not for the first time when we see incidents related to user's personal data and its leakage. And it's for the first time when we have confirmed case of malicious usage of such data.In several updates to the original post, Kaspersky Lab notes that spam invites are also being sent via email. One user was also able to get in touch with the application's author, who claims that the behavior is a bug, although the explanation certainly appears to be suspect.

It now appears that Apple has removed Find and Call from the App Store, as links to the app in the U.S. and Russian App Stores show that it is unavailable. The app did exist for some time, however, as it debuted in the App Store on June 13.

Apple has been working to limit third-party apps' access to personal data, and will be rolling out enhanced permission requirements (http://www.macrumors.com/2012/06/14/apple-requires-user-permission-before-apps-can-access-personal-data-in-ios-6/) in iOS 6 to alert users when their data is being accessed.

Update: Apple has issued a statement to The Loop (http://www.loopinsight.com/2012/07/05/apple-responds-to-find-and-call-spam-app/) acknowledging that it has pulled the app."The Find & Call app has been removed from the App Store due to its unauthorized use of users' Address Book data, a violation of App Store guidelines," an Apple representative told The Loop.

Article Link: Apple Pulls Russian SMS Spam App from App Store [Updated] (http://www.macrumors.com/2012/07/05/apple-pulls-russian-sms-spam-app-from-app-store/)



Richdmoore
Jul 5, 2012, 12:41 PM
I hope apple uses it's "kill switch" to delete this app from those phones that have already downloaded the app.

ouimetnick
Jul 5, 2012, 12:44 PM
I hope apple uses it's "kill switch" to delete this app from those phones that have already downloaded the app.

In this case, thats a good idea. If all the app does is spam, spam, and spam, then kill it. Was this a free app? If not, they should take the money from the developer's account (if he has received it already) and return it to the people who downloaded this app.

RoelJuun
Jul 5, 2012, 12:45 PM
The first question that pops up in my mind is; how got it in the app store in the first place.

DarkWinter
Jul 5, 2012, 12:48 PM
One user was also able to get in touch with the application's author, who claims that the behavior is a bug, although the explanation certainly appears to be suspect.

Those damn spam bugs! :rolleyes:

Mad-B-One
Jul 5, 2012, 12:48 PM
By the current number of Apps available and the security flaws (or holes) in up to iOS 5.1.1, it was just a matter of time this would happen. I imagine it is pretty easy: You submit a clean version of an App and one of the updates contains the exploiting parts. I doubt that the functionality will be checked well enough that this would be rejected.

Bad news: someone gave an example what you can do with the current settings.

Good news: Companies like Kaspersky Labs know what to look for.

Consultant
Jul 5, 2012, 12:49 PM
I hope apple uses it's "kill switch" to delete this app from those phones that have already downloaded the app.

Yeah. Although Apple never used the kill switch before, this would be a good case for it.

The first question that pops up in my mind is; how got it in the app store in the first place.

The developer probably wasn't spamming its users until it was approved.

TsunamiTheClown
Jul 5, 2012, 12:51 PM
...quietly harvesting...


the Jig is up pal

Winter Charm
Jul 5, 2012, 12:54 PM
In this case, thats a good idea. If all the app does is spam, spam, and spam, then kill it. Was this a free app? If not, they should take the money from the developer's account (if he has received it already) and return it to the people who downloaded this app.

I agree... This doesn't bode well for anyone :P
Here would be a great place to exercise the kill switch.

darkslide29
Jul 5, 2012, 12:54 PM
The first question that pops up in my mind is; how got it in the app store in the first place.

Oh how I would hate to be that Quality Assurance Tester that signed off and accidentally let this one slip by. Especially if this really is the first incident in five years, as the article states.

But thinking about it further, there are a lot of apps that access the entire address book. A game like Words with Friends can access the address book, they just are trusted to NOT spam. This app probably went through, and the developer is being a **** by spamming after the fact.
If that's the case, I don't know how this can be stopped during the approval process.

Unless it's easy to see when an app is uploading address books to an outside server..
So many questions..

Mad-B-One
Jul 5, 2012, 12:56 PM
One user was also able to get in touch with the application's author, who claims that the behavior is a bug, although the explanation certainly appears to be suspect.

Yea, right: "I got all that contact info and didn't know what to do. So, I started to advertise my App to them impersonating you. That clearly was a bug!"

It's like the situation where the husband walks in on the pool boy and his wife: "Oh, I understand! She was changing, you were taking a leak and when you stumbled, you both tripped 10 feet and landed naked on top of each other in the bed. Time for you to accidently fall 20 times backwards into my kitchen knife! Surely no problem for someone that clumsy."

chainprayer
Jul 5, 2012, 12:57 PM
Is it just me, or is anyone else wanting to see the kill switch in action? :-P

tubular
Jul 5, 2012, 12:57 PM
Why are people acting like there hasn't been malware on the iPhone before? About two months ago, I had malware that quietly changed whatever phone number was the top of my Favorites list to a 1-800 number I didn't recognize. Delete that entry from my Favorites list, and two seconds later, whatever the new top number was on my Favorites changed to that 1-800 number. I ended up wiping and reinstalling iOS, and the problem went away.

This started up after I got a spam SMS message.

Anybody else seen this?

deadwalrus
Jul 5, 2012, 12:58 PM
Sounds like Facebook.

Skika
Jul 5, 2012, 12:59 PM
This would never have happened if Steve Jobs was still with us. :eek:

The only way i can make it through the day without suicide is convincing myself that people like you are just trolls.

DarkWinter
Jul 5, 2012, 01:00 PM
This would never have happened if Steve Jobs was still with us. :eek:

...

Mad-B-One
Jul 5, 2012, 01:01 PM
Why are people acting like there hasn't been malware on the iPhone before? About two months ago, I had malware that quietly changed whatever phone number was the top of my Favorites list to a 1-800 number I didn't recognize. Delete that entry from my Favorites list, and two seconds later, whatever the new top number was on my Favorites changed to that 1-800 number. I ended up wiping and reinstalling iOS, and the problem went away.

This started up after I got a spam SMS message.

Anybody else seen this?

Do you have a JB phone?

darkslide29
Jul 5, 2012, 01:02 PM
Funny, I got some malware last week. All of a sudden this app wiped all of the email addresses in my address book, and replaced them with an @facebook.com email address.

Oh wait that was the official Facebook app and it's still up :p

tubular
Jul 5, 2012, 01:04 PM
Do you have a JB phone?

Nope. That's why I was very surprised to see this. And it's why I'm hoping that iOS 6 does indeed firewall away the contacts list, so that apps can't juggle the Favorites list like that.

iSee
Jul 5, 2012, 01:05 PM
The first question that pops up in my mind is; how got it in the app store in the first place.

The reviewers aren't all-knowing. For an app like this they could have observed the following without rejecting the app:
1. App accesses user's contacts (100% legitimate for an app of this nature)
2. App communicates to app developer's server (many, many apps do this for legitimate reasons.

It's not valid for an app to sends contact information to the app developer's server without user permission after an adequate and accurate disclosure. But of course the app could have sent that information in an encrypted form so that the app reviewers had no way to know that contacts were being sent or may have actually asked permission without revealing the intent to spam.

And, obviously, no spam was sent until after the app had been reviewed.

VenusianSky
Jul 5, 2012, 01:08 PM
The first question that pops up in my mind is; how got it in the app store in the first place.

At this point, I am pretty much convinced that they are using artificial intelligence to approve apps. It was the approved "Microsoft Word 2012" that slipped into the App Store a couple weeks ago (and pulled later) that led me to this.

Blakjack
Jul 5, 2012, 01:09 PM
The first question that pops up in my mind is; how got it in the app store in the first place.

http://www.businessinsider.com/heres-why-it-really-sucks-to-be-an-app-reviewer-for-apple-2012-7

iSee
Jul 5, 2012, 01:09 PM
Do you have a JB phone?

No, actually when he was shopping for his iPhone he bought a Samsung Android phone by mistake and still hasn't realized it. ;)

kalex
Jul 5, 2012, 01:13 PM
and there goes the myth that ios is safer then android. Nice job for QA department

TsunamiTheClown
Jul 5, 2012, 01:14 PM
...Russian security firm Kaspersky Lab

Oh i gotta say these guys are on it. They blew the cover on Flame (http://en.wikipedia.org/wiki/Flame_(malware)) too.

user418
Jul 5, 2012, 01:15 PM
At this point, I am pretty much convinced that they are using artificial intelligence to approve apps. It was the approved "Microsoft Word 2012" that slipped into the App Store a couple weeks ago (and pulled later) that led me to this.

At this point, I am pretty much skeptical of downloading anything from anybody from anywhere.....

dashiel
Jul 5, 2012, 01:19 PM
and there goes the myth that ios is safer then android. Nice job for QA department

/sigh

munkery
Jul 5, 2012, 01:23 PM
The reviewers aren't all-knowing. For an app like this they could have observed the following without rejecting the app:
1. App accesses user's contacts (100% legitimate for an app of this nature)
2. App communicates to app developer's server (many, many apps do this for legitimate reasons).

It's not valid for an app to sends contact information to the app developer's server without user permission after an adequate and accurate disclosure. But of course the app could have sent that information in an encrypted form so that the app reviewers had no way to know that contacts were being sent or may have actually asked permission without revealing the intent to spam.

And, obviously, no spam was sent until after the app had been reviewed.

Good post.

Despite being a serious issue, this malware did only abuse legitimate functions allowed by apps. Also, the by-product of the malicious behaviour was only spamming advertising for the app.

Luckily, iOS 6 will more explicitly ask user's permission to partake in this behaviour rather than the user somewhat implicitly allowing it by downloading the app.

This is a lot different than the banking malware that includes privilege escalation that can be found targeting Android.

sweetbrat
Jul 5, 2012, 01:24 PM
and there goes the myth that ios is safer then android. Nice job for QA department

Yes, because one app doing it on the iPhone is as bad as the hundreds or thousands of problems with apps on the Android platform. :rolleyes:

skorpien
Jul 5, 2012, 01:27 PM
and there goes the myth that ios is safer then android. Nice job for QA department

Taking into account the number of apps in the App Store, I'd say Apple has done a great job of ensuring that the apps they approve are safe. Not to mention that with that many apps, it was only a matter of time before one slipped through. It is one app, and iOS 6 is taking precautions to make the OS even safer. Relax, Chicken Little, the sky is not falling.

adztaylor
Jul 5, 2012, 01:28 PM
The only way i can make it through the day without suicide is convincing myself that people like you are just trolls.

Haha brilliant reply. Well done.

sascha h-k
Jul 5, 2012, 01:38 PM
f... all this so called "developers" !

----------

ficke all this so called "developers" !

NAG
Jul 5, 2012, 01:39 PM
Just wondering, what was this app advertised to do?

samcraig
Jul 5, 2012, 01:43 PM
Yes, because one app doing it on the iPhone is as bad as the hundreds or thousands of problems with apps on the Android platform. :rolleyes:

Speak in hyperbole much?

Apple...
Jul 5, 2012, 01:43 PM
Kill switch! Kill switch!

Mad-B-One
Jul 5, 2012, 01:51 PM
The only way i can make it through the day without suicide is convincing myself that people like you are just trolls.

http://deal.org/wp-content/uploads/2012/02/Feb7th-jernvotten-on-Flickr.gif

John.B
Jul 5, 2012, 01:54 PM
iOS 6, with it's per-app address book permissions, can't get here fast enough.

Mr. Gates
Jul 5, 2012, 01:59 PM
"In soviet Russia .......Apps Download YOU !"


http://content9.flixster.com/photo/11/62/95/11629539_sma.jpg

GenesisST
Jul 5, 2012, 02:01 PM
Yeah. Although Apple never used the kill switch before, this would be a good case for it.



The developer probably wasn't spamming its users until it was approved.

It's one thing to see in the review process that an app uses the contacts API. It's another to know exactly what is done with it, really.

iOS6 will help with this by asking permission to access contacts. Still needs some judgment from the user's part.

Personally, I try to to use judgment with apps even from the app store.

sweetbrat
Jul 5, 2012, 02:05 PM
Speak in hyperbole much?

Actually, no.

http://news.cnet.com/8301-1009_3-57466474-83/security-firm-android-malware-pandemic-by-years-end/

kalex
Jul 5, 2012, 02:13 PM
Yes, because one app doing it on the iPhone is as bad as the hundreds or thousands of problems with apps on the Android platform. :rolleyes:

/Facepalm

----------

Actually, no.

http://news.cnet.com/8301-1009_3-57466474-83/security-firm-android-malware-pandemic-by-years-end/

/DoubleFacePalm

blackcrayon
Jul 5, 2012, 02:18 PM
and there goes the myth that ios is safer then android. Nice job for QA department

Kindof like the "myth" that Macs are safer from malware than Windows (The kind of "myth" that means "statistically accurate")?

There is this strange "a little bit of something is just as bad as a ton of something" non-logic I see a lot of lately. "iPhone 4 doesn't get Siri? Well i guess iOS is just as fragmented as Android devices that don't get any update at all!" Yeah.. Exactly. :confused:

kalex
Jul 5, 2012, 02:26 PM
Kindof like the "myth" that Macs are safer from malware than Windows (The kind of "myth" that means "statistically accurate")?

There is this strange "a little bit of something is just as bad as a ton of something" non-logic I see a lot of lately. "iPhone 4 doesn't get Siri? Well i guess iOS is just as fragmented as Android devices that don't get any update at all!" Yeah.. Exactly. :confused:

its all relative. How many windows PCs exist now and how many macs are out there? Even though they sell like hotcakes macs are still have a lot lower market share but if u notice amount of malware on the macs spiked up as their market share increased. All this malware is designed to make money so they will target the marketshare where they can make the most. Its similar to what developers are doing now with IOS/Android vs. Windows phone. Everybody develops for main 2 because there is more money in it.

iSee
Jul 5, 2012, 02:29 PM
/Facepalm

----------



/DoubleFacePalm

I'm not sure what you mean unless your faceplams are directed at yourself.

The poster said hundreds or thousands and then provided a link that shows thousands is actually conservative. -- the article says 20,000 malware apps target Android today.

tigress666
Jul 5, 2012, 02:29 PM
In this case, thats a good idea. If all the app does is spam, spam, and spam, then kill it. Was this a free app? If not, they should take the money from the developer's account (if he has received it already) and return it to the people who downloaded this app.

Agreed. They should also revoke the developer's account to make apps for iOS. Shenanigans like that should be an instant we don't accept apps from you anymore thing.

marcusj0015
Jul 5, 2012, 02:31 PM
So wait, I thought Apple MADE iOS tell the user when the addressbook was being accessed, is this not the case?

Demigod Mac
Jul 5, 2012, 02:33 PM
This isn't some massive new exploit. This won't result in a huge flood of malware to iOS. This doesn't represent a "huge flaw" with the iOS platform. This won't even need to be patched.

To put it simply: a reviewer at Apple was a bit careless and approved an app that shouldn't have been. Human error.

When you consider:

1) the high chance your malicious app will be caught on the first review
2) the speed at which Apple can disable your app if you got lucky on step 1
3) the relatively insignificant number of jailbroken/vulnerable iOS users

... still makes iOS an unattractive, unprofitable target for malware authors. The guy who made this malicious app got extremely lucky, that's all.

Consultant
Jul 5, 2012, 02:35 PM
So wait, I thought Apple MADE iOS tell the user when the addressbook was being accessed, is this not the case?

There hasn't been a need until now.

Apple is adding it with iOS 6, and this shady company probably heard about it just now and figure he has a few months before iOS 6 is released.

blackcrayon
Jul 5, 2012, 02:37 PM
So wait, I thought Apple MADE iOS tell the user when the addressbook was being accessed, is this not the case?

I believe this will be a new feature in iOS 6.

Also, I wonder if any of these pieces of malware aren't going "bad" until some time after they are submitted. I wonder if the review team does any kind of date checking to see if behavior is different say a month in the future for example.

charlituna
Jul 5, 2012, 02:51 PM
The first question that pops up in my mind is; how got it in the app store in the first place.

Contrary to popular belief they don't have a warehouse of reviewers testing every app and going over every line of code. It's more like 50 folks, 100 tops and easily 1000 submissions a day. Sometimes things get through. Especially if they don't accurately describe what the app does or the trick happens in the background

----------

So wait, I thought Apple MADE iOS tell the user when the addressbook was being accessed, is this not the case?

That is in ios6

samcraig
Jul 5, 2012, 03:02 PM
Actually, no.

http://news.cnet.com/8301-1009_3-57466474-83/security-firm-android-malware-pandemic-by-years-end/

Did you even read the link you posted. Something tells me you didn't. At all.

diamond.g
Jul 5, 2012, 03:15 PM
iOS 6, with it's per-app address book permissions, can't get here fast enough.

That only helps if the app obviously doesn't need to access your contacts. So an app that is supposed to connect you with your friends (like this app supposedly did) could have a legit reason to access a users contacts list.

kdarling
Jul 5, 2012, 03:18 PM
Contrary to popular belief they don't have a warehouse of reviewers testing every app and going over every line of code. It's more like 50 folks, 100 tops and easily 1000 submissions a day. Sometimes things get through. Especially if they don't accurately describe what the app does or the trick happens in the background

This. It's impossible to check for everything.

Reviewers have very little time to check an app, so their focus is mostly on making sure it doesn't violate anyone's copyrights or stray too far in its UI style.

Without the app's source code, the reviewers cannot check what an app might do days or weeks or months after it's approved.

This is hardly the first iOS app to send contact info to its server without explicit user permission. Others, some famous, have done so, which is why the new warning is coming in iOS 6.

It seems highly likely that many other apps have also done this and sold the contact info to advertisers, without being so obvious.

rmwebs
Jul 5, 2012, 03:32 PM
Its really quite poor that Apple dont have checks in place to stop this. At least on Android you're notified exactly what areas of your phone the app has access to BEFORE its installed. iOS6 cant come soon enough it seems!

NAG
Jul 5, 2012, 03:44 PM
Its really quite poor that Apple dont have checks in place to stop this. At least on Android you're notified exactly what areas of your phone the app has access to BEFORE its installed. iOS6 cant come soon enough it seems!

By the looks of this app you should be aware that it is using your addressbook data. And while I do like how we're getting finer control over privacy with iOS 6, I hope they fix the popup notification spam (it might turn into something like the Vista UAC issue where people don't read it).

AaronEdwards
Jul 5, 2012, 03:50 PM
And this is second major issue I have with the walled garden.
(The first one is not being able to install what I want.)

False security.

iOS users believe that because every app is checked by Apple and because apps only can be installed through the App Store, therefore all apps in the AppStore are safe to install, and so they install without thinking.

This will happen again.

And after iOS 6, they will write apps that have reasons to both read your address book and send information.
And users will grant the apps permission.
And the apps will continue to steal information.

kalex
Jul 5, 2012, 03:56 PM
I'm not sure what you mean unless your faceplams are directed at yourself.

The poster said hundreds or thousands and then provided a link that shows thousands is actually conservative. -- the article says 20,000 malware apps target Android today.

and everything u read on internet is true :eek:

theinstructor
Jul 5, 2012, 03:58 PM
I understand your concerns but can you or anyone else enumerate which apps are stealing our information? I think this is a real problem and the only way I currently know of to combat this is to try identifying the developer and if it is Chinese or Russian...then no thanks. But that is hardly foolproof and is in itself foolish in some ways but I dont have a better solution yet. :eek:

And this is second major issue I have with the walled garden.
(The first one is not being able to install what I want.)

False security.

iOS users believe that because every app is checked by Apple and because apps only can be installed through the App Store, therefore all apps in the AppStore are safe to install, and so they install without thinking.

This will happen again.

And after iOS 6, they will write apps that have reasons to both read your address book and send information.
And users will grant the apps permission.
And the apps will continue to steal information.

ericvmazzone
Jul 5, 2012, 04:13 PM
That only helps if the app obviously doesn't need to access your contacts. So an app that is supposed to connect you with your friends (like this app supposedly did) could have a legit reason to access a users contacts list.


Quoted for Truth!

lilo777
Jul 5, 2012, 04:22 PM
This isn't some massive new exploit. This won't result in a huge flood of malware to iOS. This doesn't represent a "huge flaw" with the iOS platform. This won't even need to be patched.

To put it simply: a reviewer at Apple was a bit careless and approved an app that shouldn't have been. Human error.

When you consider:

1) the high chance your malicious app will be caught on the first review
2) the speed at which Apple can disable your app if you got lucky on step 1
3) the relatively insignificant number of jailbroken/vulnerable iOS users

... still makes iOS an unattractive, unprofitable target for malware authors. The guy who made this malicious app got extremely lucky, that's all.

It's not a human error. You are trying to ignore the fact that the reviewer simply can not know what the app does. All he can do is check which APIs the app uses but remember those are all legal Apple APIs. Without a source code (which the reviewer does not have) there is no way to figure out what the app actually does with those APIs. Apple's system is way more wasteful than what Android has (a permission system) but does not provide any extra protection. In fact, Apple's system is worse than Android. With Android, if you check the permissions requested by app, you would never have flashlight app preforming tethering as it happened with App Store a while back. How could the reviewer approve a flashlight app like that? Well, don't be too hard of him. Without a good permission system, it's not that easy to track API usage.

adder7712
Jul 5, 2012, 04:24 PM
Glad it was pulled. I do agree on a "kill switch" though.

Dr McKay
Jul 5, 2012, 04:35 PM
Odds are it didn't do any of this stuff while it was being tested. Once it got through the server was probably activated.

BaldiMac
Jul 5, 2012, 04:41 PM
iOS 6, with it's per-app address book permissions, can't get here fast enough.

Its really quite poor that Apple dont have checks in place to stop this. At least on Android you're notified exactly what areas of your phone the app has access to BEFORE its installed. iOS6 cant come soon enough it seems!

Neither system would have helped in this case! Are you going download this app and be suspicious that it wants access to your contacts? :)

samcraig
Jul 5, 2012, 04:52 PM
Neither system would have helped in this case! Are you going download this app and be suspicious that it wants access to your contacts? :)

How do you know the OP was saying that it would have helped. All he said was that Android notifies you ahead of time what it's accessing. It's an accurate statement. And iOS 6, we already know, will do the same.

BaldiMac
Jul 5, 2012, 05:06 PM
How do you know the OP was saying that it would have helped. All he said was that Android notifies you ahead of time what it's accessing. It's an accurate statement. And iOS 6, we already know, will do the same.

I have no idea what you are getting at here. I didn't say either person was wrong. I simply said that those feature wouldn't have helped. Which was also an accurate statement.

I find these kind of security notifications to be "security theater" akin to the TSA. :) Don't get me wrong, I'm all for access controls. I just don't think these kind of notifications have an impact on malware. If the app is malicious, it can simply claim features that justify the access.

Ding.Dong
Jul 5, 2012, 05:07 PM
Glad it was pulled. I do agree on a "kill switch" though.

I don't think using the "kill switch" would help anything. The contact info has already been uploaded. Killing the app on the phone won't make the data disappear on the spammer’s computer.

StickerBox
Jul 5, 2012, 05:22 PM
Anyone else think it's a bit suspicious that Kaspersky (a russian company) a few weeks ago was like "iOS will soon get malware". Then they found this Russian app and are like "oh hey guise look what we found lol guess you gonna give us money now haha".

blow45
Jul 5, 2012, 05:36 PM
Another security fiasco for apple. What's the $100 devs subscription going towards if they don't actually check the apps they put on the app store, or can't check them and be certain they do not pose a security threat.

And this is an app that apparently was downloaded enough to be noticed. Who knows if there are quite a few of such apps in the app store that have been silently stealing personal data from their users and have due to their very small installed base gone unnoticed so far?

And I am asking everyone who has legal liability for this? If apple vouch for the safety of the applications wrt private user data, aren't users who used this app justified in bringing a class action lawsuit against apple? If they are not legally binded then what's the point of the app store as a safeguard to begin with.

Apple are sitting on an obscene pile of cash that could buy a few countries around the planet, one would think they can afford to buy kaspersky and a couple of other specialized software firms to address their growing security issues effectively.

Laird Knox
Jul 5, 2012, 05:39 PM
Mine is clearly not a very popular opinion. I know a lot of people have written about this elsewhere, and have generally been ridiculed for the notion that Apple will struggle without Steve's influence and drive.

I want to be proven wrong so badly. It's just I've seen big problems so many times, over and over again, when working with companies who lost their influential leaders and founders. It's usually a slow unravelling. But little clues like the topic of this thread will keep showing up with increased regularity as standards slide.

Let's both hope my opinion can continue to be easily dismissed as the work of a troll in a few years time. Nothing would make me happier. :)

Why is this a sign? Did The Steve decompile and study each app before it was approved?

While many companies do decline when they lose a key figure I do believe Apple is in better shape than most. They put a lot of effort into structuring things to make many of Apple's unique traits self sustaining. I agree there will be some short term impact but it is far too early to see the long term.

Seriously though, Steve would have had no impact on this event.

sweetbrat
Jul 5, 2012, 05:40 PM
Did you even read the link you posted. Something tells me you didn't. At all.

No, of course not. I just like to do random Google searches and hope that the results support what I was saying. :rolleyes:

Bubba Satori
Jul 5, 2012, 05:42 PM
This would never have happened if Steve Jobs was still with us. :eek:

Seriously, it's time to let go.

MacDav
Jul 5, 2012, 05:47 PM
Those damn spam bugs! :rolleyes:

It's not a bug it's a feature.:p

AaronEdwards
Jul 5, 2012, 05:50 PM
I have no idea what you are getting at here. I didn't say either person was wrong. I simply said that those feature wouldn't have helped. Which was also an accurate statement.

I find these kind of security notifications to be "security theater" akin to the TSA. :) Don't get me wrong, I'm all for access controls. I just don't think these kind of notifications have an impact on malware. If the app is malicious, it can simply claim features that justify the access.

Which is why Apple should start educate their customers about security.

Make users aware that just because Apple have created a walled garden for their iOS apps it doesn't mean that everything you download and install is safe and not malicious.

Educate users to think before installing.
Educate users to think before allowing an app to access information or send information.

But that would mean a big break with how iOS is promoted today.
So I'm guessing it won't happen.

Edit: Actually this would "security theater" akin to the TSA if apps would be able to circumvent it. Malicious apps are able to circumvent the control process, I have yet to read anything saying that apps can circumvent not being allowed to read or send information.



----------

if they are not legally binded then what's the point of the app store as a safeguard to begin with.


30%

MacDav
Jul 5, 2012, 05:52 PM
This would never have happened if Steve Jobs was still with us. :eek:

Yeah!, This would never happen if Steve.........wait...Never mind.

blow45
Jul 5, 2012, 06:14 PM
I have no idea what you are getting at here. I didn't say either person was wrong. I simply said that those feature wouldn't have helped. Which was also an accurate statement.

I find these kind of security notifications to be "security theater" akin to the TSA. :) Don't get me wrong, I'm all for access controls. I just don't think these kind of notifications have an impact on malware. If the app is malicious, it can simply claim features that justify the access.

Once again in your apple apologism you are both misconstruing what others are saying as well as making a seemingly plausible argument but one which is downright false. It's really hard to read your posts when you are perpetually trying to distort reality the way it suits you.

With permissions malicious apps cannot claim they are doing X while doing Y in their description because you are notified in advance. That in itself is a very good security measure. Because it's much harder to write a malicious app that justifies in an convincing way to the user their accessing their address book than it is to write one that doesn't have to present a seemingly legitimate function, but can access it regardless... If you don't have this system that android uses and soon ios will copy, sorry, put in place, it's much easier to write malware for the platform. It's mind boggling how you argue that a system that ensures some safety by demanding that anyone who wants to write malicious apps provides at least a seemingly legitimate function for the app is no better than a system where apps don't even have to inform the user before their installation of what they are going to be accessing.

But sure, it's a system apple doesn't have in place, so... "it makes no difference", if apple already had the system in place it would be "a good security insurance policy that might not be 100% effective but it's still a step in the right direction"...:rolleyes: . Seriously man if you don't own large quantities of apple stock (bought in the $600s ;) ), and I mean vast quantities and you are doing this just for a hobby...well...

samcraig
Jul 5, 2012, 06:18 PM
No, of course not. I just like to do random Google searches and hope that the results support what I was saying. :rolleyes:

Well they didn't really support your statements. Not with facts anyway. Predictions aren't facts. But your sarcasm was noted. An about as effective as your link.

coolfactor
Jul 5, 2012, 06:23 PM
This would never have happened if Steve Jobs was still with us. :eek:

Maybe I'm misunderstanding here, but I tend to agree with you. Why are people down-voting your comment? Steve Jobs set an extremely high bar for Apple, which is part of what made him unique and what turned Apple into a great(er) company. If Tim can maintain that high bar, awesome, but it's a big challenge.

BaldiMac
Jul 5, 2012, 06:26 PM
Which is why Apple should start educate their customers about security.

Make users aware that just because Apple have created a walled garden for their iOS apps it doesn't mean that everything you download and install is safe and not malicious.

Educate users to think before installing.
Educate users to think before allowing an app to access information or send information.

But that would mean a big break with how iOS is promoted today.
So I'm guessing it won't happen.

I agree.

Edit: Actually this would "security theater" akin to the TSA if apps would be able to circumvent it. Malicious apps are able to circumvent the control process, I have yet to read anything saying that apps can circumvent not being allowed to read or send information.

I think you left out a few words there, but I think I get your point. :)

I disagree that these controls cannot be circumvented. As I said, the straightforward way to get around them is to create an app that appears to or actually justifies the access request.

AaronEdwards
Jul 5, 2012, 06:39 PM
I disagree that these controls cannot be circumvented. As I said, the straightforward way to get around them is to create an app that appears to or actually justifies the access request.


Yeah.

And after iOS 6, they will write apps that have reasons to both read your address book and send information.
And users will grant the apps permission.
And the apps will continue to steal information.

But that's not the apps being able to circumvent the security features directly. If the user blocks app Y from doing X and it still can do X then that's circumventing those features.

This would be a different, since it is instead using the fact that Apple users are uninformed about how well the walled garden is shielding them from malware.

BaldiMac
Jul 5, 2012, 07:04 PM
But that's not the apps being able to circumvent the security features directly. If the user blocks app Y from doing X and it still can do X then that's circumventing those features.

This would be a different, since it is instead using the fact that Apple users are uninformed about how well the walled garden is shielding them from malware.

Sure, like I said, I'm all for access controls. They work. But malicious apps can easily get the user to bypass them. Security is about trusting the developer. Or not. Plain and simple.

sweetbrat
Jul 5, 2012, 07:16 PM
Well they didn't really support your statements. Not with facts anyway. Predictions aren't facts. But your sarcasm was noted. An about as effective as your link.

Did you read the link? Part of it was about predicting how bad the problem will be in the future. At the very beginning, though, there was this little part...

"The security firm said at the start of the year, it had found more than 5,000 malicious applications designed to target Google's Android mobile operating system, but the figure has since risen to about 20,000 in recent months."

That's not a prediction. It's an observation they made. So yes, it did support my argument. And your silly question deserved a sarcastic response.

samcraig
Jul 5, 2012, 07:18 PM
Did you read the link? Part of it was about predicting how bad the problem will be in the future. At the very beginning, though, there was this little part...

"The security firm said at the start of the year, it had found more than 5,000 malicious applications designed to target Google's Android mobile operating system, but the figure has since risen to about 20,000 in recent months."

That's not a prediction. It's an observation they made. So yes, it did support my argument. And your silly question deserved a sarcastic response.

They don't list or even define malicious though do they? What was malicious. Was it stealing info and uploading it? Was it spyware? What was it?

So personally - I take their "report" with a grain of salt.

AaronEdwards
Jul 5, 2012, 07:20 PM
Sure, like I said, I'm all for access controls. They work. But malicious apps can easily get the user to bypass them. Security is about trusting the developer. Or not. Plain and simple.

Easily because:
1. The checks before an app is allowed into the AppStore aren't working 100%, thus false security.
2. A lot of Apple users are uniformed

While it is very hard to circumvent the security systems of a bank and steal money, is it a lot easier to contact a customer of the bank and by lying get him to give the information needed to steal his money from the bank.
Which is why the banks tell people not to give up their information willy nilly.

sweetbrat
Jul 5, 2012, 07:42 PM
They don't list or even define malicious though do they? What was malicious. Was it stealing info and uploading it? Was it spyware? What was it?

So personally - I take their "report" with a grain of salt.

I'm glad to see that we both agree that this article DOES support my argument. Whether or not you agree with the article is a completely different subject, and really wasn't what we were talking about. You accused me of using hyperbole; I posted an article supporting my information. You asked me if I had even read the linked story, basically saying that I posted something that didn't support my point. It clearly does.

I never meant for this to become an argument about how prevalent malware is on Android, and I'm not really trying to rip on Android at all. My original response was to someone who said there goes the myth about iOS being safer than Android. iOS is safer than Android when it comes to the amount of malware available. This isn't one of those "sky is falling" moments for iOS. It's one app.

blow45
Jul 5, 2012, 07:47 PM
How come apple doesn't have a system in place where a few people from the company actually install the apps, run them a few times on actual ios devices with some monitoring custom software of what was accessed from the private data of the device and when, which is a tangible way to catch malware in action.

I am sure that would warrant a $100 dev. fee and a 30% cut. At the end of the day it's the devs apps that help them sell i-devices like crazy. But if their mentality is the same as it was for selling books, that is we push them to users on our devices and we get a 30% cut (and "the customer pays a little more but that's what you want anyway"...we all know the story), oh and in addition for apps we batch run some testing/reviewing software and then push the apps in the app store, maybe they don't really think they need to do anything to merit that cut and the dev. fee.

Which btw the dev's fee should have been on a per sales basis, I don't see why someone making $0 off the app store should be paying apple a devs. fee. I am sure some will argue it's for apple creating and maintaining the APIs but they are doing this so they can sell more idevices, they shouldn't be looking for the devs themselves to be funding the creation of apple's tools. Unless they want to give devs a cut off of ipod, ipad, and iphone sales, which would be only fair if you think about it, because these devices sell by virtue of the apps they have in the store, not because of anything so inherently special about them.

BaldiMac
Jul 5, 2012, 07:48 PM
Easily because:
1. The checks before an app is allowed into the AppStore aren't working 100%, thus false security.
2. A lot of Apple users are uniformed

While it is very hard to circumvent the security systems of a bank and steal money, is it a lot easier to contact a customer of the bank and by lying get him to give the information needed to steal his money from the bank.
Which is why the banks tell people not to give up their information willy nilly.

I agree with you, but I'm not sure what you are responding to.

AidenShaw
Jul 5, 2012, 07:49 PM
Easily because:
1. The checks before an app is allowed into the AppStore aren't working 100%, thus false security.
2. A lot of Apple users are uniformed.

Like the "false security" of a spell-checker? ;)

BaldiMac
Jul 5, 2012, 07:55 PM
How come apple doesn't have a system in place where a few people from the company actually install the apps, run them a few times on actual ios devices with some monitoring custom software of what was accessed from the private data of the device and when which is a tangible way to catch malware in action.

What makes you think they don't? How would that help in this situation? It's not a red flag that a contact app such as "Find and Call" needs access to contacts.

blow45
Jul 5, 2012, 08:05 PM
Like the "false security" of a spell-checker? ;)

un-i-formed ;) Which I guess is a good way to be, it's when you get too i-formed and enter that reality distortion field that trouble begins.

----------

What makes you think they don't? How would that help in this situation? It's not a red flag that a contact app such as "Find and Call" needs access to contacts.

How that would help?

Surely if they had one guy for the whole of the russian market (which they probably could afford seeing as russia has a population of about 140,000,000 million) actually installing and running the apps that came up on the store, with a custom monitoring tool on their i-device they would have noticed in time the data being send to someone's servers...

Apparently it's so much a red flag btw, that apple didn't notice, and you expect the average user to do so?

To me this is a huge security breach and apple is solely responsible for it. When you can have 1-2 people actually installing and running apps that are very obviously big red flags as you say, AFTER they have been approved you will be able to protect your users. How much would it have costed them to do so? In russian salaries what about 30,000 per annum, not for 2, but 5 people doing this. What's that compared to the money they make off the i-devices as well as the money they have in the bank, pretty close to what one would call a drop in the ocean.

In my mind the proper system should be approve the app, put it in the app, have a few of your own employees actually download a subset of apps that looks much less benign than the rest and tick a few boxes, and run them first to see if the devs will be playing any tricks so you can be at the forefront of protecting your customers before they start downloading said app themselves.

Apple can thank me later btw for finding common sense solutions to their problems btw, :D.

BaldiMac
Jul 5, 2012, 08:10 PM
How that would help?

Surely if they had one guy for the whole of the russian market (which they probably could afford seeing as russia has a population of about 140,000,000 million) actually installing and running the apps that came up on the store, with a custom monitoring tool on their i-device they would have noticed in time the data being send to someone's servers...

Apparently it's so much a red flag btw, that apple didn't notice, and you expect the average user to do so?

To me this is a huge security breach and apple is solely responsible for it. When you can have 1-2 people actually installing and running apps that are very obviously big red flags as you say, AFTER they have been approved you will be able to protect your users. How much would it have costed them to do so? In russian salaries what about 30,000 per annum, not for 2, but 5 people doing this. What's that compared to the money they make off the i-devices as well as the money they have in the bank, pretty close to what one would call a drop in the ocean.

All the malware developer would have to do is encrypt the data stream. I don't know if that happened in this case or not.

cgk.emu
Jul 5, 2012, 08:16 PM
Yeah. Although Apple never used the kill switch before, this would be a good case for it.



The developer probably wasn't spamming its users until it was approved.

Oh, how users here freaked out pretty hardcore when the "kill switch" was first mentioned. Well, now do we see its usefulness? I think so.

blow45
Jul 5, 2012, 08:17 PM
All the malware developer would have to do is encrypt the data stream. I don't know if that happened in this case or not.

You know what, I am sure seeing as life is very ironic indeed, that the developer probably didn't encrypt the data stream in this case.

In any case how come kaspersky spotted it and not apple? You would think apple has enough money if they are really serious about their customer's data safety to buy kaspersky, and every kaspersky on the globe, and any potential kaspersky on our solar system.

BaldiMac
Jul 5, 2012, 08:54 PM
You know what, I am sure seeing as life is very ironic indeed, that the developer probably didn't encrypt the data stream in this case.

I would be surprised if you didn't assume that. :)

In any case how come kaspersky spotted it and not apple?

Maybe Kaspersky has a larger database than Apple of malicious Russian servers?

blow45
Jul 5, 2012, 09:10 PM
I would be surprised if you didn't assume that. :)



Maybe Kaspersky has a larger database than Apple of malicious Russian servers?

I am not assuming this because it serves my argument, I am assuming this because I have a good intuition that ironically in crime (in the broadest of senses) it's offenders that could have easily been spotted due to some lack of sophistication that go unnoticed. It would be interested to find out if it did use some encryption or not to see if my hunch is correct.

I am sure they do. Wasn't apple in talks with them over os x security btw a few weeks ago. Surely you will agree here that it's the least they can do to buy a firm like kaspersky at apple. No matter who apple likes to point the finger at whenever a security breach is revealed (and it's habitually not to themselves) I think the wealthiest tech company in the world can very well afford to purchase a specialized security firm after a year where malware crops in the app store and the flashback fiasco that cost, what, 400,000 of their customers at least access to their private data? Apple should have certainly been more pro-active and seen this coming. It would certainly be a wiser investment than paying 50 mil to the dixons guy to run the stores on autopilot.

DanteMann
Jul 5, 2012, 10:18 PM
The increase attacks on iOS and OSX is only a sign of more to come. And Apple's bragging in it's marketing about how safe they are doesn't help. Now even Apple are forced to change their tune on how it markets itself. :rolleyes:

SchneiderMan
Jul 5, 2012, 10:33 PM
^old news bro..

They should also sue them.

cgk.emu
Jul 5, 2012, 10:40 PM
The increase attacks on iOS and OSX is only a sign of more to come. And Apple's bragging in it's marketing about how safe they are doesn't help. Now even Apple are forced to change their tune on how it markets itself. :rolleyes:

Take a closer look. It CLEARLY states it "doesn't get PC viruses". PC in this case = Windows PC, so it was technically correct.

somethingelsefl
Jul 5, 2012, 10:41 PM
Apple needs to continue pick out the "weeds" from its "walled garden" or it risks losing one of the most appealing aspects of iOS over Android. I'm glad they caught it relatively quick though.

blow45
Jul 5, 2012, 10:52 PM
Apple needs to continue pick out the "weeds" from its "walled garden" or it risks losing one of the most appealing aspects of iOS over Android. I'm glad they caught it relatively quick though.

they didn't kaspersky did. :)

Timzer
Jul 5, 2012, 10:56 PM
Take a closer look. It CLEARLY states it "doesn't get PC viruses". PC in this case = Windows PC, so it was technically correct.

Technically correct? Nope. PC= Personal Computer. The average person thinks that a PC is a Personal Computer. Macs? Yes they are personal computers. Hence the description was very misleading that would clearly be a massive legal headache. It was misleading and Apple knew it Big Time. Hence the change. :rolleyes:

alexN350z
Jul 5, 2012, 11:10 PM
Got some russian spamming to my email address and website everyday, now I know where they come from.

flameproof
Jul 5, 2012, 11:39 PM
Take a closer look. It CLEARLY states it "doesn't get PC viruses". PC in this case = Windows PC, so it was technically correct.

And my Windows Xp is also 100% iOS malware free!

unicorn025
Jul 6, 2012, 12:04 AM
Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices.

That was quick! Security researchers at Microsoft and Sophos say they may have spoke a bit too soon about Android phones hosting a BotNet and spamming through Yahoo mail servers. Terry Zink, one of the discovers of the issue, said the following on his MSDN security blog

http://blogs.msdn.com/b/tzink/archive/2012/07/05/a-bit-more-on-that-spam-from-an-android-botnet.aspx

HelveticaRoman
Jul 6, 2012, 01:22 AM
Don't online store owners have a duty of care to their customers the same way a retailer has in a bricks-and-mortar store?

betatest
Jul 6, 2012, 03:27 AM
All thanks to Kaspersky! Must give a credit to Kaspersky Labs from finding the Malware.

So don't download blindly from the Apple Apps Store, and don't assume that the Apple Apps Store is a safe haven for downloads.

Always check the developer, company that sell this software. Apple could not have done it without the findings from Kaspersky.

There's more malware to come.

mentaluproar
Jul 6, 2012, 03:30 AM
This isn't some massive new exploit. This won't result in a huge flood of malware to iOS. This doesn't represent a "huge flaw" with the iOS platform. This won't even need to be patched.

To put it simply: a reviewer at Apple was a bit careless and approved an app that shouldn't have been. Human error.

When you consider:

1) the high chance your malicious app will be caught on the first review
2) the speed at which Apple can disable your app if you got lucky on step 1
3) the relatively insignificant number of jailbroken/vulnerable iOS users

... still makes iOS an unattractive, unprofitable target for malware authors. The guy who made this malicious app got extremely lucky, that's all.

This post makes me wonder if we will ever see malware for iOS that disables system updates and the kill switch, like AVkiller.

trevorde
Jul 6, 2012, 07:29 AM
The first question that pops up in my mind is; how got it in the app store in the first place.

The review process is just a cursory run through the app, mainly to make sure it doesn't immediately crash ie if it starts, it passes.

BaldiMac
Jul 6, 2012, 07:40 AM
The review process is just a cursory run through the app, mainly to make sure it doesn't immediately crash ie if it starts, it passes.

Please don't spread misinformation.

samcraig
Jul 6, 2012, 07:54 AM
Please don't spread misinformation.

Just imagine what kind of place this would be if people stopped spreading misinformation!

kdarling
Jul 6, 2012, 08:08 AM
Weird article in Business Insider the other day about the App Store reviewers, from a former Apple engineer:

http://www.businessinsider.com/heres-why-it-really-sucks-to-be-an-app-reviewer-for-apple-2012-7#ixzz1zaB9ki4H?tw_p=twt

BaldiMac
Jul 6, 2012, 08:09 AM
just imagine what kind of place this would be if people stopped spreading misinformation!

:)

Z400Racer37
Jul 6, 2012, 08:10 AM
I hope apple uses it's "kill switch" to delete this app from those phones that have already downloaded the app.

can they actually forcibly retroactively remove apps that have already been downloaded? that would be... good in this case obviously, but it seems as though if someone downloads something (however harmful to the user/device) that it belongs to the user? hope they at least put up a prompt to remove it for the people that did download it...

Casiotone
Jul 6, 2012, 08:10 AM
BTW the killswitch list is still empty: https://iphone-services.apple.com/clbl/unauthorizedApps

Mad-B-One
Jul 6, 2012, 08:36 AM
Technically correct? Nope. PC= Personal Computer. The average person thinks that a PC is a Personal Computer. Macs? Yes they are personal computers. Hence the description was very misleading that would clearly be a massive legal headache. It was misleading and Apple knew it Big Time. Hence the change. :rolleyes:

Yea, except that Windows runs on Macs. In this case, the iMac or any other Mac is as vulnerable as any other PC.

Sackvillenb
Jul 6, 2012, 09:44 AM
There's a first for everything. Hopefully this will remain a rare (or isolated) issue...

vsighi
Jul 6, 2012, 07:01 PM
...ha ha this is why I don't buy or download anything made by rUSSIANs.:D

makitango
Jul 7, 2012, 06:43 AM
Even if I like using iDevices, iOS pretty much became more and more insecure. And this is by far not the only app... the recent Strikefleet game uses your geo data without even asking or showing up in the Geo settings tab, just by circumventing the system via geo ads (just check the notification screen or quit the app and check the geo icon). Ugly as it can get. Plus the battery drain... this game gets as hot as it can get, even on an iPhone 4S -.-

cgk.emu
Jul 9, 2012, 08:46 PM
Technically correct? Nope. PC= Personal Computer. The average person thinks that a PC is a Personal Computer. Macs? Yes they are personal computers. Hence the description was very misleading that would clearly be a massive legal headache. It was misleading and Apple knew it Big Time. Hence the change. :rolleyes:

Okay. :rolleyes:

beenmachacked
Oct 10, 2012, 11:01 PM
betatest is there a way you can contact me regarding a closed thread you posted re: remote admin log in. ive experienced the same. is there a pm option on this site?

steviewhy
Oct 11, 2012, 01:39 AM
betatest is there a way you can contact me regarding a closed thread you posted re: remote admin log in. ive experienced the same. is there a pm option on this site?

Yes there is a PM system here. Click on betatest's username which will take you to his profile and then click on send message or click this:

http://forums.macrumors.com/private.php?do=newpm&u=698279

kdarling
Oct 11, 2012, 06:45 AM
The first question that pops up in my mind is; how got it in the app store in the first place.

This isn't the first time. They're just saying that this is the first time they noticed such an app using it to send fake texts.

Probably thousands of apps access the Contact list for no good reason, and quite a few send it back to some server around the world, where it's no doubt sold to email spammers.

This is why Apple belatedly added a bit of Contact list permission checking, which as on Android, requires the user to exercise a bit of their brain. I.e. don't install a tip calculator that needs access to your contacts!

One of the biggest myths around is the belief that Apple somehow can magically determine, without reading the source code, what an app might do... espeically if it waits to do it after it's been in the store a while.