Malicious Code in iOS App, Most Likely Injected during Windows OS Infection
An article published in MacWorld earlier today about an iPhone application labeled as malicious has raised a number of concerns among users. Upon Ars Technica’s request, we looked into the issue and here’s a run-down of what we found:
Sample MP3 header and metadata. Not related to this malicious incident.
Today, an iOS user noticed that the $2 game Simply Find It developed by Simply Game is detected as potentially malicious by Bitdefender Virus Scanner.
More specifically, the infected object – a MP3 file that ships along with the game, was detected as Trojan.JS.iframe.BKD, a specialized detection that deals with iFrames loading malicious content from compromised websites.
A closer look on the MP3 file reveals that it contains an iFrame loading content from a website based in China (x.asom.cn), a known source for malware flagged accordingly by both browsers and antivirus solutions. We dug deeper into the issue, because infected MP3 files are rarely found in the wild and are highly particular to specific exploitation mechanisms.
We discovered that this particular iFrame has been injected by a number of families of malware designed for Windows, families which attempt to infect HTM or HTML files and load malicious code within these files. Sometimes, because of improper file type validations, these families of malware accidentally infect MP3 files. While the code itself is malicious placed in the right context (i.e. in a HTML document), it has no side effect when injected into the wrong file.
There is no known mechanism to date to exploit this behavior on users’ machines, and the file definitely does not pose any threat to the iOS uses. Most likely, the file came from an infected computer, where it has been inadvertently infected, and then was included in the final product – the game itself.
How about malware planted in multimedia files?
Contrary to general belief, multimedia (video and audio specifically) files can be used to deliver malware. This is the case of Trojan.Wimad, a piece of malware that has been around since 2008. It particularly affects ASF files (Windows Media Audio (.WMA) and Windows Media Video (.WMV)) files, which are designed to include a download link for the appropriate codec in case the system does not have it installed. By changing this link, cyber-crooks can deliver a piece of malware via the media player application, if it supports this feature.