It’s been reported that one AV product is detecting a product on the App Store as Trojan.JS.iframe.BKD. To the trained eye, this detection name can tell us something about the nature of the detection, which is fairly important before we go any further.
The first part of the detection name tells us that this is a Trojan, not a virus. So that’s good news – the detection is not saying that this is something that will try to spread on its own.
This is what’s referred to as the variant name. You may recall that this starts with the first variant named A and goes to Z, then starts again at AA and goes to ZZ, repeat ad nauseum. Let’s just say this is a very, very late variant, as my head starts spinning when we get past ZZ (which is something like 676, if my math is not totally off). Suffice it to say, this is a very, very common technique used by malware authors, usually for drive-by downloads.
Here’s the thing about this kind of detection – it can be really tricky, since the iframe codes can be very, very small. If a researcher get just a little too generic with such a detection, it can set off false alarms or just overly-paranoid alarms. And sometimes, as a researcher, you can get samples of things that are incomplete, which can give you a different view of something that is relatively innocuous (or at least not really cause for alarm). It seems that probably one of these situations is at play here. This iMore article gives a more thorough analysis of the site that is the destination of the iframe, and it’s been shut down for several years.
I’m not giving the app a pass, as including an invisible iframe to a site that doesn’t currently have any content is just weird. At best, it’s evidence of poor coding practices. But it’s not cause for panic or freaking out about the App Store vetting process either. I think we can all stay calm and have a nice, relaxing weekend.
Simply Find It screenshots courtesy of the App Store