Apple has confirmed that 17 malware iPhone apps were removed from the App Store after successfully hiding from the company’s app review process.

The apps were all from a single developer but covered a wide range of areas, including a restaurant finder, internet radio, BMI calculator, video compressor, and GPS speedometer …

The apps were discovered by mobile security company Wandera, which said that the apps did what they claimed while secretly committing fraud in the background.

Although no direct harm was done to app users, the activity would be using up mobile data, as well as potentially slowing the phone and accelerating battery drain.

The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.

Wandera said the malware iPhone apps evaded Apple’s review process because the malicious code was not found within the app itself, but the apps were instead getting instructions on what to do from a remote server.

Apple says it is improving its app review process to detect this approach.

Command & Control enables bad apps to bypass security checks because it activates a communication channel directly with the attacker that is not within Apple’s view. C&C channels can be used to distribute ads (like the ones used by the iOS Clicker Trojan), commands, and even payloads (such as a corrupt image file, a document or more). Simply put, C&C infrastructure is a ‘backdoor’ into the app that can lead to exploitation if and when a vulnerability is discovered or when the attacker chooses to activate additional code that may be hidden in the original app.

The same server was also controlling Android apps. In at least one of those cases, weaker security in Android meant that the app was able to do more direct harm.

The apps were all from AppAspect Technologies.

One example involved users who had been fraudulently subscribed to expensive content services following the installation of an infected app.

iOS aims to guard against this by sandboxing. Each app gets its own private environment, so cannot access system data or data from other apps unless using processes specifically permitted and monitored by iOS. However, Wandera cautions that there have been examples of the sandbox failing, giving three examples of this.

Wandera is the same company that warned how a Siri feature could be used for phishing non-technically knowledgeable iPhone users. Apple confirmed the removal of the 17 apps to ZDNet.

Photo: Shutterstock