An app available for download from Apple's iOS App Store contains an embedded Trojan horse. And while the good news is that you're almost definitely safe from any malware danger, there's still reason for concern. The app itself is almost certainly harmless--and the malicious code is probably present unintentionally--but the fact that the code slipped through the App Store's review process isn't ideal.
The app Simply Find It, a $2 game from Simply Game, seems harmless enough. But if you run Bitdefender Virus Scanner--a free app in the Mac App Store--it will warn you about the presence of a Trojan horse within the app. A reader tipped Macworld off to the presence of the malware, and we confirmed it.
Apple declined to comment on the issue.
Bitdefender warns of the presence of Trojan.JS.iframe.BKD in the game. (Two other free Mac antivirus apps, iAntivirus and ClamXav, both failed to notice anything amiss with the app.) It's not too much effort to figure out what Bitdefender is detecting in the app, either.
As you may know, iOS apps are distributed as IPA files, which you can unzip using unarchiving apps on your Mac. When you unarchive Simply Find It, you can explore the app's package contents. I used Terminal to search the app for "iframe," and found a match in a single file: Payload/SpotDiffHD.app/day.mp3
That's a fully functional audio file used in the game. You can play it on your Mac, and it sounds fine. But when I opened the MP3 in BBEdit, I found this snippet just at the end of the file: iframe src="http://x.asom.cn"
That's an iframe, HTML code that embeds a remote webpage. In this case, the server that iframe points to--x.asom.cn--isn't actually responding at this writing. In theory, though, malware could use a secretly-embedded iframe to load up a maliciously-crafted webpage you didn't intend to visit, and attempt to do various unpleasant things.
Simply Game didn't respond to Macworld's request for comment, though it seems that iframe is embedded in that MP3 file unintentionally. The company sells numerous apps, and sells Simply Find It in the Mac App Store as well, where it is uninfected.
Security expert (and occasional Macworld contributor) Rich Mogull says that the app is almost certainly harmless. "If Apple tested the app by running it in a sandbox and watching the app's activities, that would be more effective than scanning MP3s for malware strings," since testing the app by running it shows what actually happens in real-world use. It's unclear how Apple tests apps, though, since that part of the process is opaque. "Thus," says Mogull, "we don't know for sure if [any Apple malware-scanning] process worked or not. A malware link that never runs isn't a threat, and there are very legitimate ways of testing that won't find something like this if it isn't a valid exploit."
Sign up for CIO Asia eNewsletters.