Want CNET to notify you of price drops and the latest stories?

Windows malware slips into Apple's iOS App Store

It's a low-threat malware package that won't hurt iOS or MacOS but may pop Windows users who manage the app in their iTunes account.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
3 min read

A Windows malware worm has been found embedded in an application being distributed in Apple's App Store for iOS. The worm is a relatively low-threat malware package that will not affect the iOS or the MacOS platform but may be harmful to those who manage the app in their iTunes accounts on Windows machines.

In a recent post to an Apple discussion forum, user "deesto" mentioned he had downloaded the free "Instaquotes Quotes Cards for Instagram" app from the iTunes store and noticed that his ClamXav antivirus program had flagged the downloaded file as containing the "Worm.VB-900" malware.

Malware executables within an iOS application
Symantec's free iAntivirus scanner locates two Windows executables that are flagged as containing malware. Screenshot by Topher Kessler/CNET

Though the warning was first suspected to be a false positive, further investigation revealed that the malware is present in the application package. App Store programs are distributed in a .ipa file format, which is a wrapper that contains the application package itself. Similar to OS X applications, the iOS app contains its executable files and other resources the program needs to run in iOS.

To test the claims in the discussion forum, I downloaded the Instaquotes package from the iTunes store and, scanning it with Symantec's free iAntivirus program, found that it contains the following two Windows executables that are flagged as being malware.


Since the downloaded .ipa file is a package, these executables could be extracted using the package manager Pacifist, and then more accurately scanned. Aftreward, other malware programs like Sophos that initially missed detecting the malware instantly picked it up and described it as "Mal/CoiDung-A," a worm written in visual basic that installs files within the Windows system directory and then modifies the Windows registry to execute the malware when the system is restarted.

Security essentials
Microsoft Security Essentials instantly detects the executables as malware. Screenshot by Topher Kessler/CNET

Copying the malware to a Windows virtual machine running the latest version of Microsoft Security Essentials resulted in the malware being immediately detected and removed from the system.

While this malware, being Windows-based, is a threat to neither the iOS platform nor Mac OS, it may be a threat to those who manage their iTunes and App Store accounts on Windows-based machines. First discovered in August 2009, the malware is relatively old and has been defined properly for most antimalware utilities, so it should be detectable if installed; however, until this situation is cleared up you might consider avoiding the Instaquotes app.

This is not the first time Apple has let malware slip into the App Store. Earlier this year Kaspersky Lab discovered an app called "Find & Call" that itself was a data-harvesting malware package. Apple cleared up the Find & Call Trojan swiftly, and hopefully will do the same with the malware embedded in this package.

UPDATE (July 24, 12:53pm): Following this report, Apple has removed the Instaquotes app from the iOS App Store, so it is no longer available for download either through iTunes or directly on an iOS device.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.