Normally I don’t spend a lot of time worrying about malware on my iPhone. After all, Apple supposedly screens apps to make sure they are malware-free and iOS is allegedly resistant to malware.
This is probably why I was shocked and annoyed when malware arrived, leaving me with the choice of accepting it or hoping nothing bad would happen if I left it alone while I uninstalled the app.
I use the app in question, MyFitnessPal distributed by Under Armour, several times a day. But it’s not essential to my life or my business, so uninstalling it wasn’t a big deal. I just went back to counting calories manually.
I’d been using the MyFitnessPal for iOS for a couple of years because it allows me to track my food consumption easily. The app has a vast crowd-sourced database of food, and it has a bar-code scanner. Best of all, it integrates with the software for my Garmin fitness tracker, so I can track the calories used as well as the calories eaten.
Like many apps, MyFitnessPal is advertising supported, and normally the ads are unobtrusive. But then, while I was recording the bagel and coffee I had for breakfast, a dialog box opened offering just one choice, which was “OK.” Further use of the app was impossible. Closing and reopening the app didn’t change anything.
For that matter, shutting down the device didn’t change anything either. Every time I opened the app, I saw the box announcing download.prizesbook.online and telling me that I had a chance to win an iPhone 7. I knew that if I clicked on OK, my browser would be hijacked and my phone would then have malware from the site installed on my phone instantly.
So, I did what any tech journalist would do. I took screen shots. Then I tried to find a way to report a malware infection to Apple and to the app maker. Turns out, you can’t. Apple apparently does not have a means to report malware that appears on an iOS device, apparently in the belief that it can’t happen. MyFitnessPal doesn’t have any obvious means of reporting a security problem either.
Eventually, I was able to send emails to both companies reporting the malware, but it took two days for a response. Apple’s response was a form letter that provided nothing useful. Eventually the app maker provided a form for me to fill out, but nothing useful came of that, either. I was effectively stuck with the malware infested app, unless I removed it from my phone.
What happened was that MyFitnessPal uses what’s called “remnant ad inventory” to deal with excess ad capacity. “To address your question, this specific ad is being served to you through remnant ad inventory,” an Under Armor spokesperson told me. “We have seen similar instances in the past but in most cases users are able to navigate back to the app and nothing is downloaded to the phone,” the spokesperson said.
This means is that the app vendor was aware of the security hole in their software, but chose to do nothing about it thinking it wasn’t a big deal. However, the ability to hijack the app is apparently something new. Fortunately the MyFitnessPal folks did take some action.
“When these ads are reported, we act quickly to both identify the source and work with our remnant ad partners to block the ad from being served again,” the spokesperson said. “We have also implemented a secondary ad scanning solution to help address this situation and remove any malicious ads.”
So it appears that the MyFitnessPal app is being protected by some sort of security software, but we’ll see how effective it is.
On June 1 Under Armour issued a formal statement to eWEEK about its efforts to protect mobile device users from malware-infected ads.
“Under Armour is committed to providing the best consumer experience possible. We use automated solutions to monitor and prevent questionable ads from being published and work with our publishing partners to screen ads before being served. We take these matters very seriously and immediately address all feedback regarding these types of ads.”
However, this problem is common throughout the ad-supported app industry. App vendors set up an automated process to get ads and then serve them to users. Since it’s totally automated, there’s little if any oversight. Whatever shows up through the ad network is what gets served, with little to no supervision.
While Under Armour and MyFitnessPal have clearly known about these malware laden ads, until now they haven’t done anything about them. Apparently, the fact that in the past they could be bypassed meant that they weren’t taken seriously. But this hands-off policy didn’t consider app users who didn’t know how to bypass the malware or who thought it was somehow part of MyFitnessPal.
As bad as the lack of security awareness may be at Under Armour, they are not alone. Other ad-supported software, including iOS and Android apps, but also including apps for Windows and Macintosh computers are vulnerable to this type of attack.
While users with sufficiently advanced anti-malware protection will catch these attacks before they cause damage, it shouldn’t be left up to customers to find ways to defend themselves against the app vendor’s ad network.
In this instance, it appears that Under Armour took the necessary steps to fix the problem, although it should have been done when it was first noticed. But that’s just one app provider. What about the rest of the ad-supported industry? Is anyone else taking this threat seriously?
EDITOR’S NOTE: This article was updated to correct the spelling of Under Armour’s corporate name and to add a new statement from the company asserting its commitment to protecting consumers from “questionable” advertisements.