Does iOS malware actually exist?

Does iOS malware actually exist?

Summary: There actually has been some iOS malware, but it's shockingly rare. It's all thanks to Apple's rigid control over app distribution.

TOPICS: Security, iOS

Everyone knows there's no iOS malware, right? Strictly speaking, there is. As a practical matter, there isn't. At least if you stick with the official Apple store, you are more likely to win Powerball than to be hit by iOS malware.

But to make that "strictly speaking" point, FortiGuard Labs's Axelle Apvrille ("the Crypto Girl") felt it necessary to list all the iOS malware on record — all 11 instances, eight of which work only on jailbroken phones.

If Apvrille's point is that iOS devices are not immune to security problems, then she is obviously correct, especially in the light of the recent iPhone hijacking episode. The perps in that case have been arrested in Russia and no software was exploited; all that happened was that the attackers hijacked iCloud accounts.

But malware is the worst way to show that iOS users have exposure, because Apple's business practices for app distribution have made it nearly impossible to get malicious software to users. Unlike on Android where you can, and many do, choose to get apps from third-party stores, with iOS there is exactly one place you can get your software: Apple's App Store. There is malware, now and then, in Google's Play store, but it's not the real Android malware threat, if there really is such a threat.

(Incidentally, I don't want to rag on Fortinet or Apvrille too much; they do a lot of great research and their blog is one of the better industry sources out there.)

It's not like iOS isn't an inviting target. There are zillions of devices out there and iOS customers have shown that they are willing to spend money on apps. And there absolutely are ways that iPhones can be attacked, although more likely through vulnerabilities, especially in Safari, than through malicious apps.

In fact, Apple's rules for what it will allow in its App Store are so strict that they effectively ban security software. It's a good thing there is next to no malware, because what you would need to do to block it on your phone is not permitted. Android, on the other hand, has a burgeoning market for security software and no shortage of malware.

Instinctively, I don't like the tight control Apple has over their app ecosystem, but I've long ago given up objecting to it. They got it right, which is why Microsoft is copying the model closely. What could never work on PCs and Macs works great on mobile.

Topics: Security, iOS

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • works really well...

    Which is part of the reason Android has 80+% of the market...
    • Actually, it's 99% of the malware that is

      32.8 million Android devices were infected with 65,227 different malware variants in 2012 (and even more last year) according to NQ Mobile vs close to zero iOS devices.
      • ...

        You have no idea what you're talking about.
        • I'm waiting for your well-reasoned rebuttal...

          An example of the viciousness of many Android malware exploits is the Eurograbber malware that swiped $47 million from the bank accounts of 30,000 hapless users last year.

          Then there is the Bmaster command and control botnet malware which has been siphoning between half to 3.5 million dollars off hapless Android users per year.

          And then there is the Google Messaging Service security hole being used by hackers to steal Android users’ data and forcing them to send premium SMS messages with direct financial implications to Android users.

          One big worry is the enormous Master Key security hole affecting 99% of all Android devices sold since 2008 that can give malware full access to all system and user data and control phone and SMS functions and turn the Android device into an always-on, always-moving, hard to detect botnet zombie.

          This Master Key vulnerability can unfortunately only be patched by manufacturers releasing new firmware for their devices which is regrettable considering the dismal record manufacturers and Carriers have of releasing updates for Android devices.
          • Ok...

            Eurograbber - they (users) were sent a phishing link to an Android malware app hosted on a third-party site (i.e. not Google’s Play).

            BMaster Command and Control botnet - The malware was discovered on a third party marketplace (not the Android Market) and is bundled with a legitimate application for configuring phone settings.

            The Google messaging service security hole is the same command and control issue you pointed to above. It was discovered an coming in part of a porn app, so we can also assume this is from a third party site since the Play Store doesn't host porn apps.

            The Master Key vulnerability - that's a legit bug, but it has already been fixed by Google AND according to Sophos, the best way to avoid it is only pulling your apps from the Play Store.

            Are you noticing one thing in common with everything you bring up? The only users really at risk are the ones dumb enough to try and put "warez" on their phone...just like a PC, just like a jail-broken iDevice.

            So if you want to avoid all these issues, stop doing stupid crap on your Android device.
          • I'm sorry but that's a have your cake and eat it argument

            Restricting yourself to just the Google Play Store (which incidentally has suffered plenty of malware, scamware and hundreds of thousands of spamware apps) goes against the whole ethos of an Open platform where you can copy apps from person to person, download them from any website, send them via email, copy off thumbdrive etc.

            To class that sort of usage as "doing stupid crap" is an affront to the open source tradition, not to mention the fact that a significant and growing percentage of the Android platform is composed of AOSP Android devices that don't have access to the Google Play Store in the first place.
          • Yes, they can.

            Android permits one to use third party stores. It's not the default and most people will be happy by limiting their use to the Google Play Store. HOWEVER, for those who choose to, they can go outside of the Google Play Store. The risk being malware.
          • I can't tell if you are for or against the "ethos of an Open platform"

            I think what ExploreMN is saying is that users who don't know enough to play safe outside the closed environment should stay within the safety of it. Yes, there have been failures which have led to some malware slipping into the play store in the past but they've taken steps to improve the situation and it seems to have helped so they deserve some credit there.

            A completely closed platform could, by its very nature, be a more secure environment. Notice I said "could" and not "would". However, as a user who would like to get the most out of a device I paid good money for and a closed platform puts the people who sold me the device in control and not me the owner of the device. I am intelligent enough to realize that the ability to install software other people wrote for my device puts me at risk depending on the competency and intent of the programmer.

            I still want the ability to determine that risk and install software as I see fit. That includes software designed to protect me from malware or outside hacks. The closed platform isn't likely to include such software because the very idea that you still need such protections contradicts the idea that the closed platform has value as a security layer... and yet iOS was the first to fall at Pwn to Own.

            Personally, I think there are potentially better solutions to security than closed platform vs. app stores where insufficient vetting allows malware to slip in. Unfortunately, the open platforms haven't implemented such solutions yet. I think the chances are, that the open platforms will develop better security solutions before closed platforms will.
          • I can't tell....

            Ideology...., Open good, closed bad.... Open sounds great, you know with those big words like 'freedom', 'choices' 'control'.... for the very savvy perhaps this is a good thing...but for most people, it leads to trouble...and exploitation!! Closed, one has the freedom of no malware worry, choices of apps that are not infected and control of their phone without malware....

            Any ideology is a dangerous thing to believe in..... Just remember, every 'coin' is two sided. In other words, whatever ideology you believe in, it has a down side. There is no perfect solution.
          • To a degree

            On some levels I agree that of the allure of android is the openness of the platform. It allows user to go beyond what the OEM or Google might want you too; which in my humble opinion is a great thing.....but with great powers comes great responsibility... In this case its the user responsibility to be diligent with where they get their software(in case of rooting). malware that in the App store is unacceptable on any level.
          • *sigh*

  're apparently one of those who can't really deal with a logical argument so you resort to garbage. The point is that the malware you talk about can be easily avoided. Now you take a philosophical approach to respond to a technical issue. Just stop. It doesn't make sense and it's a pointless argument. The malware is not coming from commercial alternatives to the play store of which Amazon is really the only other legit one. It's coming from pirating and other questionable sources. Your argument is like saying "because I'm free and live in America I should be able to walk down a dark alley in Harlem with bags of plainly marked cash and not get mugged" or some nonsense. Sure, you can give it a shot and might even be successful once in a while, but eventually you're going to get jacked. If you're going to get your stuff from questionable sources you need to be careful and you may get compromised.

            So again, it goes back to don't do stupid crap and you'll be fine.
          • Mac or PC

            So are you saying is that users on Macs and PCs should never be allowed to install apps unless they filter through and get approved by Apple and Microsoft respectively? They are all just computers. Why restrict one and not the other?

            Personally I side load all the time but then I develop. I also go to technical 3rd party stores for open source Android apps as well. I also root. Have not been infected yet but you think giving me this power and ability is somehow wrong?
            Rann Xeroxx
          • big brother is bad

            But only when it is by, of, and for (all) the people.

            When private companies do it, it's okay (even if only the company benefits and at your expense )
          • But you agree

            The argument wasn't how or where the malware was coming from; it was just that android at this time has more malware issues than iOS. Now that maybe due to the user habits but it still shows that malware exists in one way or another with in the Android(Walled garden with a gate door that users have the key to open the gate) ecosystem on a larger scale than in iOS(walled garden with a deadbolt lock with apple holding the key). But just offer my take; user with rooted or unlocked device seem to be the root(lol) issue; Google, Apple and Microsoft can only do so much to protect users and maintain a enjoyable UX, go too far and you have vista not enough you have xp.
          • Actually that's exactly what the article was primarily about.

            @Nigel Barrett: "The argument wasn't how or where the malware was coming from"

            Go back and re-read it and you'll see the article was about Apple screen applications and not so much the technical merits of iOS.
          • Here is a simple rebuttle

            If you take the academic studies over the people selling anti-virus software, the malware infection level of android phones in the US is 0.0009%. That is what we call a statistically insignificant number. Go ahead and spout your 99% line like it means something, but those of us with even the smallest amount of intelligence knows its irrelevant.
          • about $7 billion

            Were swiped from itunes thru in-app purchasing in free game deception. There's your iOS malware.
            Lets get some perspective
          • perspective is boring

            Fanboyism is awesome
      • Easy solution. From the study:

        "Cybercriminals add lines of malicious code into a genuine app and repackage and reload it onto a 3rd party marketplace..."

        Don't use 3rd party market places. Then you're at almost no risk.
        • Not so easy

          Considering the ability of Android to allow app installs from anywhere - email messages, web sites, USB sticks and other app stores etc - is touted as a big advantage over iOS, the suggestion to only install apps from the Google Play Store is a bit of a flawed "have your cake and eat it" argument.