French web site Mac4Ever is reporting that a flaw in the iPhone allows apps installed on the device to recover the device’s telephone number. Apparently, a number of iPhone user in Europe received phone calls from a company after downloading an app from the iTunes Store. When they asked the company calling how they had gotten the phone numbers, they were told that Apple gave it to them. Since this is unlikely, a developer made a proof of concept app for the iPhone that recover’s the devices phone number. Using this flaw, any developer could harvest the phone numbers of people who have downloaded their apps.
One app that is accused of doing this is a Swiss traffic app called mogoRoad. Mac4Ever says that a few weeks after installing this free app, people received calls trying to sell them a paid version of the program. Comments on the iTunes Store for this application, dating back to June, mention that people have gotten calls from the company. Mac4Ever says that the ability to harvest phone numbers goes back at least to iPhone OS 2.1, so this company has probably been using this procedure for some time.
It turns out, however, that this is not new; one of our contacts said that this has existed since the beginning of the iPhone. (ArsTechnica published an article about this in January.) It seems that Apple has decided to allow this possibility. And it is important to point out that any Mac OS X application can get this information as well, simply by recovering it from your Address Book using a standard API.
While it seems that Apple should have some way of allowing or blocking access to an iPhone’s phone number, we don’t see this as a serious security risk. No more so, at least, than a phone company selling numbers that are used for robo-calls. However, the fact that users are not aware of this possibility is certainly annoying; just as there is an option in the iPhone OS to turn off location services, there should be an option to block access to a phone number.
More news from the VB2009 conference. A malware researcher made a presentation describing how a Russian network of “spam and malware affiliates” were actively seeking people to infect Macs. Reporting on threatpost, Ryan Naraine says that this network was, “offering $0.43 for each malicious install, a price tag that suggests the Mac platform is becoming more and more lucrative to online crime gangs.”
While this is a pittance, an effective campaign of using Trojan horses to infect Macs could easily net tens of thousands of computers. This price could interest people in certain countries where the cost of living is much lower than in the West. And, after all, it’s not that hard to set up a web site with these Trojan horses; the hard part is luring Mac users to them, and getting them to install the malware.
Intego’s people attending the VB2009 conference are too busy to be able to blog about their activities, but Malware Diaries gives a brief mention of some Mac OS X material presented at the conference. Blogger Jerome Segura discusses meeting some of Intego’s team, and discusses a couple of presentations regarding malware and Mac OS X.
A later post on the same blog talks about some of the extra-curricular activities at the conference.
We’ll have more about the conference next week, when we’ll try and write up a summary of its Mac-centric content.
Apple recently released iTunes 9, the latest version of their music juke-box and media store software. The company has issued a maintenance release, iTunes 9.0.1, to fix a handful of bugs in the program, and has profited by this release by including a security fix. This fix patches an issue where, “opening a maliciously crafted .pls file may lead to an unexpected application termination or arbitrary code execution.” Users can download the update via Software Update, or from Apple’s iTunes download page.
Here’s an interesting Snow Leopard bug. It turns out that a number of Mac users have found that their home folders have disappeared after logging in, on their Macs, with the Guest account. (The Guest account is a special account, activated in the Accounts preferences, whereby a user can log in with no password, and, at log-out, all their data is deleted. It’s great for one-time logins.) This has happened to people who turned on the Guest account option under Leopard; there’s something wrong with the way Snow Leopard transfers this setting to the new version of the OS. It turns out that the data is not actually lost, but can be recovered. CNet reports that there’s a way to get this data back.
The procedure is a bit complicated, and requires messing around with some of the more advanced settings in the Accounts preferences. While this is certainly feasible, it’s best to take preventive measures: if you’ve got the Guest account set up, disable it and re-enable it. (We’d recommend disabling the account, rebooting, then enabling, just to be safe.)
Of course, you should always make sure that you’ve got a current backup of your home folder, and any other important documents. You should also have a clone of your startup volume, just in case you have any serious problems, so you can instantly boot your Mac from your clone. You can do this, naturally, with Intego Personal Backup, which, in addition to performing backups and clones, can also synchronize folders, and can perform all its operations automatically, according to schedules you set up.
Some of Intego’s team are packing their bags for a few days in the fine Swiss city of Geneva. From Wednesday to Friday is the VB2009 malware conference, organized by Virus Bulletin, a trade publication for the security industry. All the major players will be attending the many conferences, and hob-nobbing with their counterparts from other security companies from around the world, sharing our experience and expertise. While there won’t be much time to visit the beautiful city of Geneva, Intego’s security experts will certainly sharing their know-how with others to help the broader security community continue fighting malware and security threats on Macs.