Last week, we published a blog on a malicious Android app that reappeared after a three-year absence for a new Japanese one-click fraud campaign. We’ve since discovered that the scammers have also prepared an iOS version of the app and are distributing it on an identical fraudulent site. This scam affects both jailbroken and non-jailbroken iOS devices.
This is the first time we’ve seen a malicious iOS app being used for one-click fraud purposes. The scammers are likely taking advantage of the iOS Developer Enterprise Program for their campaign, though we have not confirmed this.
If the app is installed on the user’s device, then it tells the user that they have agreed to become a member of the site and demands that they pay 99,000 Japanese yen (approximately US$800) now or 300,000 yen (approximately $2,400) after three days.
iOS apps over the air
It is not commonly known that iOS apps can be distributed outside of the Apple App Store. There are typically two methods to deliver apps over the air (OTA). One way is to distribute the app using ad hoc provisioning and the other is through the iOS Developer Enterprise Program.
Distributing an app using ad hoc provisioning requires end users’ unique device IDs (UDID) to be registered on the developer’s side using an ad hoc provisioning profile. Developers are also limited to distributing apps to 100 devices per year and need to enroll in the iOS Developer Program, which costs US$99 each year. The end users may be participating in beta programs prior to the official release of the app on the Apple App Store.
On the other hand, the iOS Developer Enterprise Program does not require UDIDs, so developers can use this model to distribute their app to anyone over the air. Developers must, however, apply to participate in the program and pay an annual fee of US$299. This may suit companies that want to develop and install in-house apps on their employees’ device.
The membership cost as well as registering with Apple may have kept cybercriminals from making the investment in the past. However, these obstacles don’t completely prevent everyone from attempting to abuse the system. Two years ago, we found the fraudulent “Sakura” site app, which required the developer to join the iOS Developer Program.
For the iOS one-click fraud campaign, the scammers appear to have participated in the Developer Enterprise Program to spread the app, though we haven’t confirmed this. They could have either applied for membership on their own or compromised someone else’s account.
One-click fraud campaign against iOS users
In this campaign, the user may arrive at the scammers’ fraudulent site either by clicking on a link in a spam message or by stumbling across the site during an online search for adult videos. If the user clicks on the play button on the site, then they are presented with a pop-up message asking the user to install an app. The user can install the app on their iOS device, even if they haven’t jailbroken it.
Figure 1. Fraudulent adult website tries to convince user to install malicious iOS app
The iOS device then informs the user that the app comes from an untrusted developer and asks them to either trust the software or not. Once the app is marked as trusted, then it can run on the device just like a legitimate app.
Figure 2. iOS device asks the user whether they trust the app’s developer or not
When launched, the app displays a member’s page for the adult video site, just like its Android counterpart. After a while, the app claims that the user has signed up for a subscription to the site and must now pay for this.
Figure 3. Adult site demands that the user pays a subscription fee
Mitigation
This app is only a component of the scam used to lure the user into paying for the subscription. The app itself does no harm to the device and does not independently gather personal or payment details. If the user has installed the app, then they should immediately uninstall it and ignore the payment request.
Users should only install apps from trusted sources. If the source is unknown, the app should never be trusted. We have reported our discovery to Apple so that it can revoke the developer ID certification used to sign the app.
Symantec and Norton products detect the malicious app discussed in this blog as iOS.Oneclickfraud.