A Windows malware worm has been found embedded in an application being distributed in Apple's App Store for iOS. The worm is a relatively low-threat malware package that will not affect the iOS or the MacOS platform but may be harmful to those who manage the app in their iTunes accounts on Windows machines.
In a recent post to an Apple discussion forum, user "deesto" mentioned he had downloaded the free "Instaquotes Quotes Cards for Instagram" app from the iTunes store and noticed that his ClamXav antivirus program had flagged the downloaded file as containing the "Worm.VB-900" malware.
Though the warning was first suspected to be a false positive, further investigation revealed that the malware is present in the application package. App Store programs are distributed in a .ipa file format, which is a wrapper that contains the application package itself. Similar to OS X applications, the iOS app contains its executable files and other resources the program needs to run in iOS.
To test the claims in the discussion forum, I downloaded the Instaquotes package from the iTunes store and, scanning it with Symantec's free iAntivirus program, found that it contains the following two Windows executables that are flagged as being malware.
Since the downloaded .ipa file is a package, these executables could be extracted using the package manager Pacifist, and then more accurately scanned. Aftreward, other malware programs like Sophos that initially missed detecting the malware instantly picked it up and described it as "Mal/CoiDung-A," a worm written in visual basic that installs files within the Windows system directory and then modifies the Windows registry to execute the malware when the system is restarted.
Copying the malware to a Windows virtual machine running the latest version of Microsoft Security Essentials resulted in the malware being immediately detected and removed from the system.
While this malware, being Windows-based, is a threat to neither the iOS platform nor Mac OS, it may be a threat to those who manage their iTunes and App Store accounts on Windows-based machines. First discovered in August 2009, the malware is relatively old and has been defined properly for most antimalware utilities, so it should be detectable if installed; however, until this situation is cleared up you might consider avoiding the Instaquotes app.
This is not the first time Apple has let malware slip into the App Store. Earlier this year Kaspersky Lab discovered an app called "Find & Call" that itself was a data-harvesting malware package. Apple cleared up the Find & Call Trojan swiftly, and hopefully will do the same with the malware embedded in this package.
UPDATE (July 24, 12:53pm): Following this report, Apple has removed the Instaquotes app from the iOS App Store, so it is no longer available for download either through iTunes or directly on an iOS device.