Researchers Found Goldluck Malware Infecting iPhone Apps

The Goldluck malware has been around for more than a year. The malware basically gave hackers privileges which allowed them to send premium messages and earn money. Historically, Goldluck has been associated with popular classic game apps on Android. Today, security researchers revealed that “more than a dozen iPhone apps covertly communicating with a server associated with Golduck”.

As Tech Crunch reports, “Wandera, an enterprise security firm, said it found 14 apps — all retro-style games — that were communicating with the same command and control server used by the Golduck malware.” Michael Covington, Wandera’s vice-president of the product revealed that Goldluck had been on their watchlist. Communication between iOS devices and the suspicious domain called for further investigation by them.

Till now, the command and control server just displays a list of icons in a pocket of ad space in the upper-right corner of the app. So, there is nothing much to worry about. But, the apps also sent back IP address data and location data in some cases, back to Goldluck servers. Tech Crunch even verified the claim and confirmed that the app sent back what app, version, device type, number of ads displayed and IP address of the device.

“The [Golduck] domain was on a watchlist we established due to its use in distributing a specific strain of Android malware in the past,” said Michael Covington, Wandera’s vice-president of product. “When we started seeing communication between iOS devices and the known malware domain, we investigated further.”

The apps include: Commando Metal: Classic Contra, Super Pentron Adventure: Super Hard, Classic Tank vs Super Bomber, Super Adventure of Maritron, Roy Adventure Troll Game, Trap Dungeons: Super Adventure, Bounce Classic Legend, Block Game, Classic Bomber: Super Legend, Brain It On: Stickman Physics, Bomber Game: Classic Bomberman, Classic Brick – Retro Block, The Climber Brick, and Chicken Shoot Galaxy Invaders.

There can be some serious complications in the future though. The researchers added, “A hacker could easily use the secondary advertisement space to display a link that redirects the user and dupes them into installing a provisioning profile or a new certificate that ultimately allows for a more malicious app to be installed.” According to them, the apps themselves don’t pose a major threat. But, the backdoor that they open, may make the users vulnerable. Moreover, since the servers are sending malicious payloads to Android users, iPhone users can suffer the same. Neither Apple nor any of the developers have commented on the matter yet. The list of apps which are affected can be found below.

Apple did not comment when reached prior to publication. The apps appear to still be downloadable from the App Store, but all now say they are “not currently available in the U.S. store.”

Apple’s app stores may have a better rap than Google’s, which every once in a while lets malicious apps slip through the net. In reality, neither store is perfect. Earlier this year, security researchers found a top-tier app in the Mac App Store that was collecting users’ browsing history without permission, and dozens of iPhone apps that were sending user location data to advertisers without explicitly asking first.

For the average user, malicious apps remain the largest and most common threat to mobile users — even with locked down device software and the extensive vetting of apps.

As Techcrunch concludes with a moral and it is so apt: don’t download what you don’t need or can’t trust.