Analysis: iPhone malware evolution on overdrive

By Munir Kotadia on Nov 23, 2009 1:44 PM
Filed under Security

Massive mobile phone virus in 2010?


See all pictures here »

In the space of a month, Jailbroken iPhones have been attacked twice.

First at the start of the month by a rickrolling worm that was designed to annoy users. The second outbreak, which over the weekend, was designed to create an iPhone botnet and steal both personal information and cash from the victims.

This evolution of malware - from being a mere vandal to a thief - took years in the desktop world, but just one step with jailbroken iPhones.

For now, the malware has only affected jailbroken iPhones where the owner did not change the default password.

However, Gartner's UK-based mobile and wireless analyst Nick Jones believes Apple's own App Store will be the eventual source of malware for 'legal', un-jailbroken iPhones.

Since the launch of the App Store in July 2008, more than 100,000 applications have been approved, which has resulted in over a billion downloads.

This huge uptake means Apple isn't capable of inspecting all the functions of every application it approves for the store, said Jones, who was in Sydney last week for Gartner's ITxpo.

"If you look at the whole App Store model, there is no way that Apple can afford to inspect the code of every application that goes onto the App Store. They do some lightweight inspection and testing, it goes up on the app store and there is not a lot to stop it doing something malicious.

"What is effectively an uncontrolled wild west frontier store isn't going to be the place you get secure things," said Jones.

Another factor to the iPhone's vulnerability, according to Jones, is the lack of control most enterprises have over the actual devices - because they are usually purchased by the employee.

"The number of iPhones in the enterprise that are well managed - locked down and controlled so the enterprise decides what applications go onto it - is very small," he added.

In 2005, Gartner analysts predicted a major phone virus would spread once two criteria were met. Firstly, smartphones capable of being infected by malware would make up around a third of the market and secondly, those phones would regularly exchange executable files. At the time, they expected this to occur in early 2008.

"By year-end 2007, large-scale user-to-user sending of more-complex executables will be commonplace. Once smartphones account for 30 percent of all wireless telephones in use -- likely no sooner than the end of 2007 -- rapidly spreading attacks will be much more likely,' said Gartner analysts Pescatore and Girard.

Perhaps Gartner's initial prediction wasn't incorrect, it was simply a couple of years premature.

What do you think? Should jailbroken iPhones be banned from the enterprise? How worried are you about iPhone or Apple security? Do you trust the App Store? Please let us know if the talkback below.

6 comments in this discussion

"@mebored81 good point, Apple can remove an app from the store at a moment's notice. However, that would most likely be too late if malware was introduced. For example, look at this story: ..."

By mkotadia

Tags

iphone, jailbreak, malware, evolution, nick jones, gartner, itxpo, security, apple, virus, iphone virus, worm, optus

Apple updates Java in Mac OS X, issues iOS Exchange bugfix

Data destruction motive for massive malware attack

Apple blocks Java in browser again

Destructive malware attacking Iranian computers

Breaking Stories

Microsoft to pay cash for vulnerability reports

Vodafone has no plans for 4G modems

'Data massacre' as Megaupload files deleted

NSA seeks to justify vast surveillance

Telstra opposes 700 MHz for emergency 4G network

Comments: 6

nate.cochrane Nov 23, 2009 4:57 PM	Any sensible organisation will dictate a standard operating environment with blessed apps on a tested and hardened operating system (as far as that's possible). The same should apply to the iPhone. That means IT ddepartmenrs should subject not just jailbroken iPhones to scrutiny but unmodified iPhones that run any app outside those that come standard with the device. The concern is Apple can't properly vet every iPhone app that goes through the app store and that some apps may already be wolves in sheeps' clothing.
mkotadia Nov 23, 2009 6:03 PM	Sophos has discovered the virus changes the iPhone's root password to 'ohshit'. So if you have been infected, break back in and regain control of your phone. Please let us know if it works. FYI: Info from a Sophos Press release: Paul Ducklin, Head of Technology, Asia Pacific at Sophos in Sydney, has recovered the password and offers this advice: "If you're infected with this new iPhone virus, you really ought to say 'Duh', since you could so easily have prevented it by changing your password. You may also think 'ohshit' -- and if you do, the virus writers are having the last laugh, because that's the new root password.' So, if you have a jailbroken iPhone and you are able to login as root with the 'ohshit' password, you are almost certainly infected. Seek help from an iPhone geek or a malware expert at once! http://www.sophos.com/blogs/duck/g/2009/11/23/iphone-worm-password/
Cadam Nov 24, 2009 4:12 AM	There is a kill switch embedded in the OS of the iPhone to kill any malware so is this analyst ignorant of just spreading FUD. I believe it is both so can this ignorant analyst be trusted the answer is a big no.
Daveh Nov 24, 2009 9:52 AM	I love Cadam's use of FUD to decry someone who is simply pointing out the obvious. The kill switch is an 'after the horse has bolted' fix. The fact that a kill switch controlled by Apple says something. They are not confident in their own scanning of Apps! That is not to say that this isn't a noble and useful method, but what is to stop the Kill Switch being disabled? As most jailbroken phones have the ability to disable the kill switch what would stop someone making an appstore app that could do the same? Or making an appstore app that connects to the outside world for instructions to do the same? All i can think of is this: "The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at and repair." - Douglas Adams
mebored81 Nov 24, 2009 10:39 AM	This article is simple scaremongering. Apple has complete control over every app on the app store and can at any moment remove them both from the app store and the phones themselves. The current iPhone viruses have nothing in common with apps from the app store. That's why the majority of people have not jail broken their phones.
mkotadia Nov 24, 2009 4:03 PM	@mebored81 good point, Apple can remove an app from the store at a moment's notice. However, that would most likely be too late if malware was introduced. For example, look at this story: http://www.joystiq.com/2009/11/10/iphone-commodore-64-emulator-back-on-the-app-store/ It is about a Commodore 64 emulator app that was NOT supposed to have a full BASIC emulator included. The developers secretly included a full BASIC emulator anyway and Apple approved the app but once Apple realised it had been duped, it pulled the app - but not before it had been downloaded numerous times.