Windows malware found in iOS app

A malware that infects Windows has been found embedded in an iOS app on the iTunes App Store. The malware was brought to light in a recent thread on the Apple Discussion forums, where a member by the name “deesto” said he had downloaded the free third party app “Instaquotes Quotes Card for Instagram” from the iTunes App Store. 


Deesto said that his antivirus program, ClamXav had flagged the downloaded app as containing the malware “Worm.VB-900”. The warning was first suspected to be a false positive, but further investigation revealed that a malware is present in the app package. iOS apps are distributed in the .ipa format, which is a wrapper that contains all the app packages. 


According to CNET, the package contains the following executables buried inside:





As per CNET, “Other malware programs like Sophos that initially missed detecting the malware instantly picked it up and described it as ‘Mal/CoiDung-A,’ a worm written in visual basic that installs files within the Windows system directory and then modifies the Windows registry to execute the malware when the system is restarted.


Find & Call is the first ever iOS malware

Instaquotes has a malware that doesn't effect iOS and Mac



CNET reports that copying the malware to a Windows virtual machine running the latest version of Microsoft Security Essentials resulted in the malware being immediately detected and removed from the system.


While the malware may not be a threat to iOS and Mac users, it may pose a problem for people who manage their iTunes App Store account on a Windows machine. It was first discoverd in 2009, so the malware is relatively old and has been defined properly for most antimalware utilities. So it will be easily detectable if installed. However, avoiding the Instaquotes app is still recommended.


Earlier, another malware had been found on the iOS App Store named “Find & Call”. Kaspersky Lab stated that they initially believed it was an SMS worm that was sending these messages to all the users’ contacts. However, after researching the situation, they discovered that it was a Trojan Horse that was uploading the user's phonebook to a remote server. They explain this by stating that the replication part was being carried out by the server that sent SMS messages with the application’s URL. Upon installation of the app, a user was prompted to fill out their mobile number as well as e-mail address. The report stated that if the user launches Find & Call, he will be asked to register in the app using his email address and cellphone number (both fields won’t be checked for validity). If users want to ‘find friends in their phone book’, the user’s phone book data will be secretly uploaded to a remote server without any EULA, Terms of Usage or Notification to ask for the user’s permission.

Published Date: Jul 26, 2012 11:42 am | Updated Date: Jul 26, 2012 11:42 am