Advertising-Supported Apps Exposing Mobile Devices to Malware

eWeek

Normally I don’t spend a lot of time worrying about malware on my iPhone. After all, Apple supposedly screens apps to make sure they are malware-free and iOS is allegedly resistant to malware. This is probably why I was shocked and annoyed when malware arrived, leaving me with the choice of accepting it or hoping nothing bad would happen if I left it alone while I uninstalled the app.

I use the app in question, MyFitnessPal distributed by Under Armour, several times a day. But it’s not essential to my life or my business, so uninstalling it wasn’t a big deal. I just  went back to counting calories manually.

I’d been using the MyFitnessPal for iOS for a couple of years because it allows me to track my food consumption easily. The app has a vast crowd-sourced database of food, and it has a bar-code scanner. Best of all, it integrates with the software for my Garmin fitness tracker, so I can track the calories used as well as the calories eaten.

Like many apps, MyFitnessPal is advertising supported, and normally the ads are unobtrusive. But then, while I was recording the bagel and coffee I had for breakfast, a dialog box opened offering just one choice, which was “OK.” Further use of the app was impossible. Closing and reopening the app didn’t change anything.

For that matter, shutting down the device didn’t change anything either. Every time I opened the app, I saw the box announcing download.prizesbook.online and telling me that I had a chance to win an iPhone 7. I knew that if I clicked on OK, my browser would be hijacked and my phone would then have malware from the site installed on my phone instantly.

So, I did what any tech journalist would do. I took screen shots. Then I tried to find a way to report a malware infection to Apple and to the app maker. Turns out, you can’t. Apple apparently does not have a means to report malware that appears on an iOS device, apparently in the belief that it can’t happen. MyFitnessPal doesn’t have any obvious means of reporting a security problem either.

Eventually, I was able to send emails to both companies reporting the malware, but it took two days for a response. Apple’s response was a form letter that provided nothing useful. Eventually the app maker provided a form for me to fill out, but nothing useful came of that, either. I was effectively stuck with the malware infested app, unless I removed it from my phone.