A short blog post is making the rounds on Twitter this morning, aiming to burst the myth that “malware for iOS doesn’t exist.”
With our FortiGuard Labs reporting that 96.5% of all mobile malware is Android based it would be easy to see why someone might opt for an iPhone. But, users beware. Don’t write off iOS as the secure alternative to Android just yet! Despite, Android malware being nearly an epidemic, or as Tim Cook referenced, “a toxic hellstew”, iOS is not immune.
I’m not a malware expert, and at the (substantial) risk of being (further) branded an Apple Apologist and/or Fanboy, let’s review their list.
|Trapsms.A||2009||Collects all SMS messages||User installs via Cydia||Yes|
|MobileSpy||2009||Collects SMS, call, URL, GPS data||Requires physical access||Yes|
|Eeki.A||2009||POC - Worm||Worm - via default SSH password||Yes|
|Eeki.B||2009||Steals SMS database||Worm - via default SSH password||Yes|
|Toires.A||2009||POC - Retrieves private data via APIs||User installs via App Store||No|
|LBTM||2010||Calls premium phone number||User installs via App Store||No|
|iKeyGuard||2011||Explicit keylogger||User installs via Cydia||Yes|
|FindCall||2012||Asks for acct info, spams friends||User installs via App Store||No|
|Killmob||2013||(no iOS details given)||Yes|
|AdThief.A||2014||Hijacks ad clicks||(unclear)||Yes|
|SSLCreds.A||2014||Steals AppleIDs from SSL traffic||(unclear)||Yes|
The blog post lists 11 separate cases of iOS malware over a 5-year span (but strangely, doesn’t include Charlie Miller’s POC). Of these eleven cases:
- Two are proof-of-concept demonstrations not released in the wild
- Eight require a jailbroken device
- Five must be manually installed by the user
- One requires physical access
- One is actually advertised as malware (it’s explicitly a keylogger)
- None of the three items distributed through the App Store modifies the device’s operating system
Dropping the POCs gives us 9 items. Dropping the explicit keylogger (the user clearly knows what they’re getting when they ask for it), we’re at 8 items. Of the remaining 8 items, 2 are valid application using published Apple APIs. These two were pulled from the App Store, and the APIs they utilized now prompt the user when accessed by a 3rd party application.
The remaining 6 malware items only affect Jailbroken devices, and of these, at least one (possibly two, it’s not clear how MobileSpy is installed) must be explicitly installed by the user via Cydia. Some of these appear to be simple spyware, while a couple are more dangerous malware, especially SSLCreds (also known as Unflod Baby Panda):
- Trapsms (steals SMS data)
- MobileSpy (collects SMS, URL, GPS, and calling data)
- Eeki.B Worm (steals SMS database, uses default SSH password)
- Killmob (no details given)
- AdThief (replaces device ID info to steal revenue from ad usage)
- SSSLCreds (intercepts SSL communications and steals Apple IDs and passwords)
What conclusion can we draw from this? That some kinds of malicious activity can slip through to the App Store (especially if we consider Charlie Miller’s POC) but, to our knowledge these have been found and removed quickly, and the underlying weaknesses in the operating system have been addressed. However, all of the remaining seen-in-the-wild instances of malware require a jailbroken device, and possibly direct user action to cause the installation or spread of the malware.
Is it surprising that malware can infect a jailbroken phone? Hardly. In fact, I’m actually kind of amazed that we’re only able to identify six instances of such shenanigans.
Will a fully-patched, non-jailbroken iOS device ever be susceptible to more “traditional” malware, that installs and spreads without the user’s knowledge? Possibly. The vulnerabilities exploited by the Jailbreak Me tools could certainly have been used by malware authors, though Apple patched both of these vulnerabilities within days of their becoming public knowledge.
The bottom line here, to my mind, is this: If you do not jailbreak your iOS device, you’re very well protected against malware, and though some things slip through, Apple has been doing a pretty good job of removing such items once found, and further strengthening the system against similar future attacks. I’d be cautious in pointing to this latest list as proof that iOS is just as unsafe as any other platform, because I really feel the evidence suggests otherwise.
[Full disclosure - I violated Betterbridge’s Law of Headlines when I titled this post “iOS Malware - A real problem, or just FUD?”. My apologies. A less click-baity title is now in place.]