UPDATED: Is The iPhone’s Push System Vulnerable To Spam, Malware Popups?
12:09 pm, August 21st, 2009, Leander Kahney
UPDATE: This now looks like a Javascript alert buried on a webpage, not a push notification. See below.
The iPhone’s Push notification system may be vulnerable to spam and malware popups.
CoM reader NyxoLyno Cangemi was using NetNewsWire RSS reader on his iPhone when what appears to be a push notification for anti-virus software popped up. See the screenshot above.
The popup message says his computer has “vulnerabilities and threats” and needs an immediate virus scan.
The popup is a notorious “rogue anti-virus” message, designed to trick naive websurfers into surrendering credit card details to fake anti-virus vendors. The unsuspecting websurfer see the message, follows the link and buys fake anti-virus software that steals their credit card number and installs malware.
The website URL in the iPhone popup points to a known rogue site, safeonlinescanv4.com, according to security firm MacAfee’s SiteAdvisor service.
The iPhone 3.0’s push notifications allow messages or alerts to be pushed to the user — incoming IM messages or new e-mails, for example. Apple billed the system as an alternative to battery-draining background processes. NetNewsWire for the iPhone does not offer push notifications. I’ve contacted the developer, NewsGator Technologies, for comment.
Have spammers and spyware frauds found a way to spam iPhones using push notifications? Anyone else seen this?
UPDATE: I asked CoM reader Cangemi what he was doing when the message popped up. Cangemi says he was browsing a folder of links, not any particular site, which was showing a list of headlines from his Sirius radio RSS folder. “I was scrolling through the list at the time it happened, which leads me to believe it was a push notification and could have occurred no matter what I was doing,” he says. In the comments, reader Matt J. reports he got a similar popup while using Safari, which again suggests push.
NewsGator Technologies forwarded an email from NetNewsWire’s lead developer, who also says it looks like a push notification.
He says: “I haven’t seen this before. NetNewsWire doesn’t use the push notification system. But other apps do, and a notification can appear in front of any other app. So I have no way of knowing where this notification came from. Another possibility is that he’d gone to a web page in NetNewsWire that has a JavaScript alert that put up that popup. It would be great to know exactly what pages he’d visited, but I realize it’s hard to find out after-the-fact.”
As Cangemi says, he wasn’t visiting a particular page, but browsing a folder of links. So it looks like push notification is the culprit.
UPDATE 2: In the comments readers Michael Weisman and DerekS say it’s more likely a Javascript alert dialog. “The default buttons on a push notification are ‘Cancel’ and ‘View’ where ‘View’ would launch the pushed-app,” notes DerekS.
“NetNewsWire has an integrated browser for reading stories,” notes Weisman. “This probably was designed to come up when the user navigates away from a page, so it popped up after the user went back to the story list. Also, the push notification system has a ton of security. The whole thing is encrypted, and the user needs to approve an app before it will even send them. There is no way for an app to send malicious notifications without your approval.”
Posted by Leander Kahney in News, Top stories, iPhone | Comment on this article
If you enjoyed this article:
Subscribe via RSS or email, or follow us on Facebook and Twitter
You sure that the feed you were reading didn’t have an ad in it? Could of been a carefully crafted URL for a JS alert box.
Thoughts???
Ricahrd, on August 21st, 2009 at 12:49 pm
Yeah, I actually did see that message pop up for me last night! But I was surfing the web using Safari and searching using Google. I can’t remember what site exactly it was but I know I saw it. But I’m much more surprised to see that this popped up using NetNewsWire. I kinda brushed it aside because I WAS using Safari which is a standard web browser but if someone got this message using an Application, that makes me a little more worried…
Matt j.
Matt Janssen, on August 21st, 2009 at 1:13 pm
This is not a push notification.
1. Push notifications to an app do not fire when the app is running.
2. The default buttons on a push notification are “Cancel” and “View” where “View” would launch the pushed-app.
This is most likely a javascript alert buried in the content.
DerekS, on August 21st, 2009 at 1:22 pm
Pretty sure that’s a javascript alert dialog, NOT a push notification. NetNewsWire has an integrated browser for reading stories. This probably was designed to come up when the user navigates away from a page, so it popped up after the user went back to the story list.
Also, the push notification system has a ton of security. The whole thing is encrypted, and the user needs to approve an app before it will even send them. There is no way for an app to send malicious notifications without your approval.
Michael Weisman, on August 21st, 2009 at 1:25 pm
It is NOT a push, and here’s one more reason why.
Push notifications bear the name of the application in the title of the messagebox. And clicking OK would launch said application.
DerekS, on August 21st, 2009 at 1:56 pm
Richard is likely right. I used to have google adsense and had it on some feeds on a website and got an ad like that coming up for folks all the time. well, until I went and banned that advertiser.
Lucas, on August 22nd, 2009 at 7:30 pm
[...] buvo paplitęs gandas, kad per informacijos transliacijos (Push) mechanizmą iPhone telefonuose neva gali sklisti virusai ar kitos kenkėjiškos programos. Netrukus paaiškėjo, kad tai pokštas, bet žmonėms, manau, kyla klausimas dėl Push kanalo [...]
iPhone su HD video ir Push kenkėjų grėsmė | manofonas, on August 24th, 2009 at 9:35 am
Not to mention it looks like the image is a jailbroken phone. If the SB settings are geared for a faker program to trick safari into acting as a desktop version, you get JS pop ups just like on your Mac. SBS has a add on program for UA faker that doesn’t allow pop ups. Kinda the nifty package.
Unknown Apple, on August 26th, 2009 at 11:57 am