Apple removes Windows malware from iOS App Store

On Tuesday, an iOS app in the App Store was discovered containing malicious Windows executable files. While this meant your iPad, iPhone, iPod touch, and Mac could not be infected, even Windows users were relatively safe since the malware had to be manually extracted from the iOS application package. Either way, Apple quickly removed it.

iOS user "deesto" posted the following message in the Apple Support Communities forum in a post titled "apps reported as virus" (via CNET):

I just downloaded two apps from iTunes, and one of them has been flagged by ClamXav as being a virus:
-Quotes for Cards (for Instagram)

2012-07-24 10:19:21 /Users/{me}/Music/iTunes/Mobile Applications/Downloads/Instaquotes-Quotes Cards For Instagram.tmp/Info.plist: OK
2012-07-24 10:19:22 /Users/{me}/Music/iTunes/Mobile Applications/Downloads/Instaquotes-Quotes Cards For Instagram.tmp/download.app: Worm.VB-900 FOUND
2012-07-24 10:19:24 /Users/{me}/Music/iTunes/Mobile Applications/Instaqoutes 1.0.ipa: Worm.VB-900 FOUND

I let ClamXav move it to the trash, but what else can/should be done? How can I verify whether this is actually a virus? A search for information on the app turned up very little, and nothing at all with reference to a possible virus or malware.

In short, the app called "Instaquotes-Quotes Cards For Instagram" was being flagged by the user's antivirus as a worm. While some argued this was a false positive, it was quickly confirmed the iOS package included a threat identified as Worm.VB-900 by ClamAV and Worm:Win32/VB.CB by Microsoft.

The app in question had been in the App Store since July 19. Over the weekend, its price was temporarily slashed from $0.99 to free. It is unknown how many users downloaded the infected app while it was available, and Apple is unlikely to share such information.

Within hours of the report, Apple removed the app from the App Store. The developer "Appsstand" then posted the following message in the same forum topic:

Thank you For Emailing is us about the Infected app , We are Now working with apple To Push the Updated app the the appstore . Thanks

It's not entirely clear whether the malware's inclusion inside the app was done on purpose. Given that it wasn't exactly set up to infect a computer upon download, it's most likely this was an accidental inclusion due to an the developer's computer being infected.

Apple needs to start scanning for Windows malware as well as Mac and iOS malware when developers upload their apps to the company's app repository. A simple extraction and scanning of all the files from the iOS app package would have prevented this threat from getting onto the iOS App Store.

See also:

• New Mac Trojan installs silently, no password required
• New Flashback variant silently infects Macs
• New targeted Mac OS X Trojan requires no user interaction
• Over 600,000 Macs infected with Flashback Trojan
• Cross-platform Trojan checks your OS: Attacks Windows, Mac, Linux
• Cross-platform Trojan attacks Windows, Intel Macs, Linux