An iOS game called Simply Find It, when run through BitDefender’s virus scanner, reportedly returns a positive result for Trojan.JS.iframe.BKD. This has drawn into question the effectiveness of Apple’s App Store approval process. Is this something that Apple should have caught, and is it something App Store customers should be worried about?
Macworld’s Lex Friedman explains what BitDefender encountered: Simply Find It's IPA -- iPhone application archive -- file contains an mp3 audio file which contains an HTML iframe tag in it which points to x.asom.cn. Normally an iframe might be used on a website to embed a frame that loads another page. These iframe tags can also be abused to try and load malicious code in a webpage without being noticed by users. Currently if you try to access x.asom.cn, the page is not available. Using the archive.org Wayback Machine, you can see the last time that the site hosted any content was back in July of 2010. At that time, the Chinese page just had a message telling users that its free URL forwarding service had been discontinued. Going back further in the site’s history, we can see that it used to redirect to a handful of different URLs, primarily http://126.96.36.199/jc/img/love/new.htm, which if you go to now, is a 404. It's anybody’s guess what this site ever actually hosted.
Microsoft’s Malware Protection Center page provides some additional details about the virus that BitDefender detected. The symptoms section of the page explains that antivirus alerts can be triggered by iframes in webpages, which are only a symptom of the virus, not an actual detection that the virus itself is present. This helps explain why BitDefender detected this virus in the IPA, as well as why other virus scanners didn’t detect it; it’s not actually the virus.
So we have an app, that has an mp3, that has an iframe, that loads a webpage that does not exist. I think it’s safe to say that this app poses no actual threat to anybody currently. But why did this slip through Apple’s review process? Shouldn’t they have detected this?
No. Any app can load a webpage. A webpage can’t (usually) download and run code. Exploits have been found in iOS before that allowed remote code execution from a webpage and these have been used in the past for jailbreaking. This type of exploit is fairly rare though, and no public exploits of this nature are currently known. Additionally, each iOS app runs in its own sandbox, confined to its own sort of play area. If a new exploit was discovered which allowed code execution from a webpage, it would likely require a second exploit that allowed it to break out of its sandbox in order to gain access to other data on the device. There’s no reason to believe that the Simply Find It game does or will do this.
While it’s certainly strange to see an app from that App Store return a positive result in a virus scanner, looking a little closer at things here, there’s no cause for alarm and no real reason to think Apple missed something that they should have caught. If anything, this app might suggest that this mp3 was once on a computer that had a virus that modified it. Apple’s App Store review process has always been a mystery. Apps with the ability to run unsigned code have made it into the App Store before and I’m sure they will again.
For today, however, there's no threat and no cause for additional alarm. For today, the App Store is as safe as it was yesterday.