Hackers are targeting iPad users with bogus update messages that dupe them into downloading malicious code onto their Windows PCs, according to security researchers.
The messages claim that a recent update to iTunes has been released for the iPad, according to Romanian security company BitDefender. “It is very important to keep the software on your iPad updated for best performance, newer features and security,” the message reads. “To get the latest version of iTunes software, please go to … and install the application.”
The link in the message leads to a copycat of the legitimate iTunes download site, where users are asked to approve the download of a file dubbed “itunessetup.exe.”
The file masquerading as the iTunes update is actually a Trojan horse that injects code into Windows’“explorer.exe” process and opens a backdoor for hackers, who then use that entrance to add more malware to the PC. The “Backdoor.Bifrose.AADY” Trojan also tries to snatch activation keys from various programs on the hacked machine and steals passwords for instant messaging clients and e-mail accounts.
Apple last refreshed the Windows and Mac software on 30 March, when it updated iTunes to version 9.1; it is yet to release an update for the iPad.
“The trick is pretty simple,” said Catalin Cosoi, senior antivirus and malware researcher for BitDefender. “When you have the iPad, you do expect to receive messages, maybe not e-mail, but messages of some sort [from Apple] that ‘We have finished an update, you have to get this update,’” Cosoi added. “They’re clever to do it this way.”
But because Mac users are not vulnerable to the attack, even if they head to the bogus iTunes download site, the impact of the malware-planting campaign will likely be low, Cosoi said. “If they were able to target Mac customers, it would have spread like wildfire, but because most antivirus companies detect this [Trojan], it’s aimed at Windows users who have bought an iPad and who also don’t run a security product.”
Cosoi was unable to quantify the extent of the spam campaign, but speculated that if it mimicked others, it would be large and of short duration to trick as many people in the relatively small pool of possible victims as possible before the news got out.
Previously, Apple said it had sold more than half-a-million iPads in the first week of availability, although that number included all pre-orders of the Wi-Fi-only models, which were delivered to customers April 3. However, other estimates, including one by Chitika Research, now put iPad sales above the one million mark .
Chitika Research calculates its iPad estimates by tracking unique iPad IP addresses accessing its ad network, then multiplies that by the percentage of the Internet that the network sees at any given time. The company has recalculated its estimates several times this month, each time lowering the number of iPads it believes have been sold.
BitDefender’s Cosoi urged Windows users to download iTunes updates only from Apple’s own site by steering their browsers manually to apple.com.au.