

First case of malware in the Apple App Store. - vilgax
http://www.securelist.com/en/blog/208193641/Find_and_Call_Leak_and_Spam

======
scott_s
I thought it was a measured analysis, and it was nice to see disassembled and
decompiled code. But the last bit is strange: _'Creating' phrases with
hexadecimal numbers is not new. And in many cases such things have been
noticed in different malicious applications._

Many applications do that for sanity checks, I don't think it's any kind of
indication of malware. It's a common technique to have some "magic number"
that you can recognize to make it less likely that a transfer of data has some
kind of corruption [1]. The benefit of using a number like 0xdeadbeef over,
say, 0x1857de89 is that you can tell at a glance if the first one is correct.

[1] Yes, one should use error codes and do this the real way. Not everyone
does.

~~~
praptak
> benefit of using a number like 0xdeadbeef over, say, 0x1857de89

I remember a blog post of someone who ran the whole dictionary through
'l337sp34k' filter. The best word they found was 0xdefeca7e.

~~~
duskwuff
There's some other fun spellings using "8" = "ate", like 0xdefec8ed and
0x8badf00d.

------
younata
As far as malware goes, this isn't really that bad. (EDIT: it doesn't e.g.
steal your credit card info [unless you keep that info in your contacts list])

It's simply an app that uploads your address book to a remote server. Up until
recently, it was considered industry standard to do that.

The only thing this app does different is that the server then sends SMS
messages to the numbers it uploads from your address book.

All this really is showing is that Apple should've made iOS from the beginning
ask the user for permission before allowing an app to access the address book.
After iOS 6, this app won't do anything.

~~~
pacaro
I think you're downplaying this. The illegitimate use of the address book is
being masked by a legitimate use - even if permission is asked for it will
likely be granted. What is essentially impossible to control except through
manual app verification processes (and very hard even then) is what is done
with the data once the app has access to them.

As a total aside, if you are an AT&T customer you can just forward SMS spam to
7726 (SPAM) and they take care of it - I'm not affiliated with AT&T (just a
customer) and I wish they would publicize this stuff more.

~~~
unfasten
Thanks for the information about reporting spam text messages, I had never
heard about it. I just received some spam text the other day and ended up
reporting it through the FCC, but reporting straight to your mobile operator
on the phone is much nicer.

ceejayoz is right about Verizon also supporting this feature (I just reported
the spam message I had from the other day). Via
<https://community.verizonwireless.com/message/696743#696743> :

    
    
        From MikeS1_VZW
    
        We have heard our customers on this, and we have launched a new program
        to help with SPAM. Take one (or several) of the SPAM messages and
        forward it to 7726 (which spells SPAM). This is a new process. Once you
        forward the message to 7726, you will get a reply text message asking
        the identity of the SPAM sender (the "From" address in the SPAM message
        you received). Once received, you will get a "Thank-you" message from
        the 7726 number. We will investigate on the back end.
    
        The messages you send to and receive from the 7726 number are free of
        charge. This is a brand new program we are testing, and it just started
        on 09/1/11. Please make this common practice when receiving SPAM
        messages. This is not to be confused with alerts though. If you get
        alerts (something you signed up for), you should reply STOP to the
        message received before going the whole 7726 route.

~~~
nathan_long
Great info, but given that carriers are paid for every message I receive, I
doubt their commitment to fighting text spam.

Here's what I want: a whitelist. If I want to add you to my whitelist, I put
my phone into "receiving" mode. I get your text, confirm adding you, then go
back into normal mode, where texts from anyone not on the list are rejected
and I don't pay for them.

~~~
chrisbolt
It would be nice if phones had an option to treat text messages differently if
the number isn't in your phone book. I wouldn't care about text message spam
so much if it went to a spam folder and didn't alert like a regular text
message.

~~~
pacaro
I think you just described how Facebook handles email...

But I agree with you for the most part a distinction between known senders and
unknown senders would be great. The only exception to this that I can think of
personally, is for things like the Google 2-factor auth messages which appear
to be sent from random numbers (in addition to _being_ random numbers!).

------
Smudge
It's a good thing Facebook overwrote my entire contacts list with useless
data, so apps like this can't affect me anymore.

~~~
freehunter
Unless Facebook overwrote their phone numbers with 1-800-[friends name], this
is a pointless argument and completely out of context.

Facebook's issue was email. This is phone number SMS.

~~~
Smudge
(Yes, I am aware. It was a joke. iOS has many issues with its contact list.)

------
adjwilli
This article is total linkbait. They redefine "malware" to create a
sensationalized headline. The article never mentions what the consumer facing
features were suppose to be. It could have had a legitimate use, but also this
privacy violating code. This is more properly an app that violates user
privacy - which is not something new or particularly newsworthy - and not
malware.

------
ja27
First _known_ case.

------
eps
First _publicized_ case perhaps?

------
Splines
It also shows problems with SMS in general:

\- How can a 3rd party send a message that appears to be from the user that
ran the program?

\- Why can't someone have the same control over SMS as they can over email?
(Filter based on trust, spam control)

I'd also be interested to know what sort of filtering is done by mobile
operators. I'm guessing there is some, (based off of pacaro's comment), but do
these features differ by operator? Is there a standard?

~~~
cdcarter
"- How can a 3rd party send a message that appears to be from the user that
ran the program?"

Unfortunately this is just an issue of cid spoofing. Nothing new and carriers
still let it happen.

------
RedwoodCity
That was a really interesting analysis. A malware scam with a global reach. A
phone designed in California, malware written in Russia or former soviet
Republic, and Banking routed through Singapore. I gained a wealth of
knowledge.

------
joshlegs
Reminds me of this gem from a few days ago:

<http://news.ycombinator.com/item?id=4156438>

I guess that's just one more reason to keep their marketing the new way.

------
aen1
This is not the first case by a long shot.

------
eridius
How does the server send SMS as if it came from the user? I've never heard of
that ability before.

~~~
cjg_
Spoofing sender in SMS is easy, see
<http://en.wikipedia.org/wiki/SMS_spoofing>

------
jrmg
I'd like to see a translation of the app store description.

