March 5, 2015

The State of iOS Security

The iOS App Store is not the impenetrable walled garden you think it is.

For years consumers have lifted up iOS as the safe mobile operating system. Comparatively, it does see much less malware than Android likely due to its rigorous manual testing of App Store apps and technological limitations that only allow approved apps on iOS devices. But to believe you’re 100 percent in the clear if you’re using an iOS device is a mistake.

Today, iOS malware looks a lot like Android malware in 2010. Android malware got its foothold in 2010 when researchers found the first trojan called “FakePlayer” in the wild. A year later, in 2011, we saw the first Android malware in the Google Play store called DroidDream.

Thus far, iOS malware has followed a similar pattern with threats appearing in the wild for jailbroken devices, moving to non-jailbroken devices, and finally sneaking into the official App Store. And while that was far from the end of the Android malware story, it’s just beginning for iOS. Kevin Mahaffey, Lookout’s chief technology officer, predicts that as iOS continues to grow around the world, particularly in emerging markets, we’ll likely see more attackers focus their efforts on mainstream iOS users.

“Bad guys are rational economic actors. Because Android is so much more popular in the world they’re targeting the largest platforms first,” says Kevin Mahaffey. “But criminals are soon going to double down on iOS with targeted attacks.”

Android and iPhone malware: the technical abilities aren’t all that different

Apple’s app review process — a manual one where humans look at each app that is approved for distribution in the official App Store — has done a good job of keeping less sophisticated malware off iOS devices, though it’s not perfect. For the malware that does make it onto iOS devices, attacks can actually execute a lot of the same malicious actions. Lookout has observed iOS attacks that can do the following:

iOS v Android technical

It’s much more of a level playing field than is generally assumed. Of course, the number of people actually affected by malware is significantly higher on Android, but in terms of what malware can do when actually on the device, the groundwork has been laid for significant threats to emerge.

iOS threats to date

Threats already exist for iOS and they aren’t trivial. Malicious actors are taking advantage of enterprise provisioning profiles, which are difficult in nature to get, but once you have it, you are able to push any application they want to any device. A number of the more current threats to iOS including WireLurker and XAgent use this tactic. Indeed, the world of iOS malware will continue to change, but let’s take a peek at what the landscape looks like today:

iOSThreats_FINALFINAL

 

 

7 comments
  1. S. Tamar says:

    Thank you for the info. I’ve also heard of iphones with malware preloaded that’s activated upon certain apps launch.

  2. Fred Perkins says:

    I bought this only to realize it actually does nothing. It displays bogus information and even claimed my phone had something due to an app I did not even have installed. This is really bogus software. Nothing but a scam!!! Run away!

    • Meghan Kelly says:

      Fred, sorry to hear you’re having trouble with the app. We’re always looking for feedback. Would you email us? support [at] lookout [dot] com

  3. Richard Yao says:

    Antivirus software is a waste of money. It primarily scans for obsolete malware and new malware is always designed to be undetected until a definition update. The only time antivirus software might be useful is when new malware is exploiting zero day vulnerabilities before a vendor patch is available, but the antivirus vendors never report their success rates in this and their software is no substitute for the proper security practices that almost always avoid such malware being a problem in the first place. They are quick to discuss set incidents without their software, but they never explain what their software would have accomplished had it been given the opportunity. If there was any actual utility, antivirus vendors would be upfront about it instead of resorting to fear mongering. The only thing that antivirus software can typically accomplish is try to clean up an old system after whatever catastrophe that it was advertised to prevent has happened, but it often does a poor job of that.

    If people insist on installing antivirus software, there is ClamAV, which is free, but it is only principally useful useful for cleaning up after the fact like all antivirus software.

  4. This is an awesome explanation of mobile security for iOS. I’m part of a student team at Arizona State University and we just put together a mobile OS security breakdown.

    http://blog.zagg.com/os-security-comparison/

    I think our research validates your claims.

  5. Naun says:

    Por q me llega un correo avisando q le extrajeron o insertaron un tarjeta sim. Y eso es falso

  6. John says:

    Great article. I will start coming to this site on a regular basis for great information like this

Leave a comment