- Golduck malware apps that plagued Apple’s App Store had enough time for 1 million downloads.
- Researchers of Wandera discovered the apps are communicating sensitive information to a well-known malicious server.
- Users are urged to thoroughly check what they are using on their phones, as no filtering process can be trusted unconditionally.
Although Apple is renown for filtering out malicious apps from its app store, a recent discovery by mobile security researching firm Wandera has unveiled that 14 “retro gaming” ad-ridden applications with ads that communicate with the Golduck malware server. This threat has first appeared in the less secure Google Play Store, so the particular server has been well known by security experts for over a year now.
The apps are: Commando Metal: Classic Contra, Super Pentron Adventure: Super Hard, Classic Tank vs Super Bomber, Super Adventure of Maritron, Roy Adventure Troll Game, Trap Dungeons: Super Adventure, Bounce Classic Legend, Block Game, Classic Bomber: Super Legend, Brain It On: Stickman Physics, Bomber Game: Classic Bomberman, Classic Brick – Retro Block, The Climber Brick, and Chicken Shoot Galaxy Invaders. These apps are aggressively pushing ads through a small ad box that is easy to click by mistake, so the primary goal right now is to make money. However, and based on the researchers' findings and a TechCrunch testing report, the apps are also sending user information to the Golduck server, including the device type, app version, number of adds server, IP address of the device, and in some cases even the location data.
While the 14 apps do not contain any malicious code at this time, the communication with Golduck makes the situation risky as a hacker could decide to push malicious commands at any time. One of the typical paths taken in such scenarios is to trick users into providing the app with the required permissions to install the malware from other channels, besides the App Store. According to Sensor Tower estimations, the 14 apps have been collectively downloaded for about 1 million times, so the hackers could be waiting so far until the infection becomes large enough to launch an attack with maximum effectiveness.
Apple has not issued an official statement nor a warning to the users, as this could constitute negative publicity for their claims on the App Store’s “ultimate security”. However, they did limit the global user access to the 14 apps, whereas US-based users see them listed as unavailable. The takeaway from all this is that users should always be careful on what apps they install and use in their devices, as no app store is perfect. As Wandera researchers point out, users should not trust anything that is available on the App Store, but instead scrutinizes the available developer information on official websites, monitor its network activity, and critically judge advertisement over-serving practices.