​Apple removes malicious iOS apps infected with clicker trojan

• These apps were used to perform ad fraud tasks for their developers.
• The infected apps are from different categories including productivity, platform utilities, and travel.

More than a dozen iOS apps infected with clicker trojan malware were found to be distributed via Apple’s App Store. These apps were used to perform ad fraud tasks for their developers.

Which are the infected apps?

Discovered by researchers from Wandera, the group of 17 infected apps covers different categories including productivity, platform utilities, and travel. The affected apps are:

• RTO Vehicle Information
• EMI Calculator & Loan Planner
• File Manager – Documents
• Smart GPS Speedometer
• CrickOne – Live Cricket Scores
• Daily Fitness – Yoga Poses
• FM Radio – Internet Radio
• My Train Info – IRCTC & PNR
• Around Me Place Finder
• Easy Contacts Backup Manager
• Ramadan Times 2019
• Restaurant Finder – Find Food
• BMI Calculator – BMR Calc
• Dual Accounts
• Video Editor – Mute Video
• Islamic World – Qibla
• Smart Video Compressor

Except for ‘My Train Info -IRTC & PNR’, all other apps are published on the App Stores in various countries by the same developer named AppAspect Technologies Pvt. Ltd.

What are the capabilities of clicker trojan?

• Once downloaded, the malicious apps infect victims’ devices with a clicker trojan. The trojan carries out fraud and ad-related malicious activities in the background, including continually opening web pages and clicking links without any user interaction.
• Additionally, it also drains the budget of a competitor by artificially inflating the balance owed to the ad network.

Connected to an Android ad fraud campaign

Wandera researchers confirmed that the C2 server used by this iOS clicker trojan is similar to the one used in a recent Android ad fraud discovered by researchers at Dr. Web.

Dr.Web researchers had reported a very similar clicker trojan campaign affecting Android users. The malware was dubbed as Android.Click.312.origin and Android.Click.313.origin. These trojans were available in over 33 apps distributed through the Google Play Store.

What has Apple done?

Apple has taken down all the compromised apps, except for two - My Train Info – IRCTC & PNR and Easy Contacts Backup Manager. It will continue to monitor the activities of these apps.