A short blog post is making the rounds on Twitter this morning, aiming to burst the myth that “malware for iOS doesn’t exist.”

With our FortiGuard Labs reporting that 96.5% of all mobile malware is Android based it would be easy to see why someone might opt for an iPhone. But, users beware. Don’t write off iOS as the secure alternative to Android just yet! Despite, Android malware being nearly an epidemic, or as Tim Cook referenced, “a toxic hellstew”, iOS is not immune.

I’m not a malware expert, and at the (substantial) risk of being (further) branded an Apple Apologist and/or Fanboy, let’s review their list.

Name Year Attack Spreads Jailbreak Req’d?
Trapsms.A 2009 Collects all SMS messages User installs via Cydia Yes
MobileSpy 2009 Collects SMS, call, URL, GPS data Requires physical access Yes
Eeki.A 2009 POC - Worm Worm - via default SSH password Yes
Eeki.B 2009 Steals SMS database Worm - via default SSH password Yes
Toires.A 2009 POC - Retrieves private data via APIs User installs via App Store No
LBTM 2010 Calls premium phone number User installs via App Store No
iKeyGuard 2011 Explicit keylogger User installs via Cydia Yes
FindCall 2012 Asks for acct info, spams friends User installs via App Store No
Killmob 2013 (no iOS details given) Yes
AdThief.A 2014 Hijacks ad clicks (unclear) Yes
SSLCreds.A 2014 Steals AppleIDs from SSL traffic (unclear) Yes

The blog post lists 11 separate cases of iOS malware over a 5-year span (but strangely, doesn’t include Charlie Miller’s POC). Of these eleven cases:

  • Two are proof-of-concept demonstrations not released in the wild
  • Eight require a jailbroken device
  • Five must be manually installed by the user
  • One requires physical access
  • One is actually advertised as malware (it’s explicitly a keylogger)
  • None of the three items distributed through the App Store modifies the device’s operating system

Dropping the POCs gives us 9 items. Dropping the explicit keylogger (the user clearly knows what they’re getting when they ask for it), we’re at 8 items. Of the remaining 8 items, 2 are valid application using published Apple APIs. These two were pulled from the App Store, and the APIs they utilized now prompt the user when accessed by a 3rd party application.

The remaining 6 malware items only affect Jailbroken devices, and of these, at least one (possibly two, it’s not clear how MobileSpy is installed) must be explicitly installed by the user via Cydia. Some of these appear to be simple spyware, while a couple are more dangerous malware, especially SSLCreds (also known as Unflod Baby Panda):

  • Trapsms (steals SMS data)
  • MobileSpy (collects SMS, URL, GPS, and calling data)
  • Eeki.B Worm (steals SMS database, uses default SSH password)
  • Killmob (no details given)
  • AdThief (replaces device ID info to steal revenue from ad usage)
  • SSSLCreds (intercepts SSL communications and steals Apple IDs and passwords)

What conclusion can we draw from this? That some kinds of malicious activity can slip through to the App Store (especially if we consider Charlie Miller’s POC) but, to our knowledge these have been found and removed quickly, and the underlying weaknesses in the operating system have been addressed. However, all of the remaining seen-in-the-wild instances of malware require a jailbroken device, and possibly direct user action to cause the installation or spread of the malware.

Is it surprising that malware can infect a jailbroken phone? Hardly. In fact, I’m actually kind of amazed that we’re only able to identify six instances of such shenanigans.

Will a fully-patched, non-jailbroken iOS device ever be susceptible to more “traditional” malware, that installs and spreads without the user’s knowledge? Possibly. The vulnerabilities exploited by the Jailbreak Me tools could certainly have been used by malware authors, though Apple patched both of these vulnerabilities within days of their becoming public knowledge.

The bottom line here, to my mind, is this: If you do not jailbreak your iOS device, you’re very well protected against malware, and though some things slip through, Apple has been doing a pretty good job of removing such items once found, and further strengthening the system against similar future attacks. I’d be cautious in pointing to this latest list as proof that iOS is just as unsafe as any other platform, because I really feel the evidence suggests otherwise.

[Full disclosure - I violated Betterbridge’s Law of Headlines when I titled this post “iOS Malware - A real problem, or just FUD?”. My apologies. A less click-baity title is now in place.]