It hasn’t been a great week so far for Apple security.
The discovery of new, low-distribution Mac malware known as Crisis or Morcut would be bad enough news, just before the launch of Mountain Lion.
But, alas, there’s another security issue: an iOS app in the App Store was found to contain malicious Windows executable files.
The malware was initially found by a user of the Apple Support Communities discussion board who downloaded an app called “Instaquotes-Quotes Cards For Instagram” from iTunes, only to have his antivirus software tell him that it contained a worm.
Initially thought to be a false positive, it turned out that there was in fact actual Windows malware embedded inside the app.
The malware known by Sophos products as Mal/CoiDung-A, is identified as Worm.VB-900 by ClamAV and Worm:Win32/VB.CB by Microsoft.
CNET reports that Apple removed the Instaquotes app from the iOS App Store on Tuesday within hours of the malware’s discovery.
According to a MacRumors report, the app had been in the App Store since 19 July and its price had temporarily dropped from $0.99 to free this past weekend. It is unknown how many users downloaded the app while it was available in the store.
It’s also not entirely clear whether the malware’s inclusion inside the app was deliberate or not – but in all probability this was an accidental infection caused by an infected developer’s computer.
The good news is that the malware can’t actually run on a Windows PC without first being extracted from the iOS application package, so it is unlikely to have caused any actual damage to any users’ systems.
Earlier this month, Apple made the mistake of approving another questionable iOS app. In that case, the app itself engaged in nefarious behavior and was thus deemed by some to be malware.
That app, known as Find and Call, collected contact information from phones on which it was installed, sent this information in plain text over HTTP, and then sent SMS text message spam to the user’s contacts, all without warning the user or asking for permission.
There’s a major difference between Instaquotes and Find and Call, though. While Find and Call actually grabbed your data, the malware embedded in Instaquotes cannot cause any direct harm to Apple devices that run iOS.
Nevertheless, this is twice in a single month when Apple’s infamous app review process has neglected to stop bad things from getting inside the iOS “walled garden.”
Perhaps what’s most disappointing about the discovery of Windows malware inside an iOS app is that Apple doesn’t seem to have conducted a simple virus scan as part of its app vetting process.
Just extracting all files from the package, and scanning them with anti-virus software, would have prevented the Windows malware from getting into the iOS App Store in the first place.
As I discussed in detail last month, Apple could be doing a lot better job at vetting apps and improving the overall security of the iPhone, iPad, and App Store.
Walled garden image from Shutterstock.