UPDATE: This now looks like a Javascript alert buried on a webpage, not a push notification. See below.
The iPhone’s Push notification system may be vulnerable to spam and malware popups.
CoM reader NyxoLyno Cangemi was using NetNewsWire RSS reader on his iPhone when what appears to be a push notification for anti-virus software popped up. See the screenshot above.
The popup message says his computer has “vulnerabilities and threats” and needs an immediate virus scan.
The popup is a notorious “rogue anti-virus” message, designed to trick naive websurfers into surrendering credit card details to fake anti-virus vendors. The unsuspecting websurfer see the message, follows the link and buys fake anti-virus software that steals their credit card number and installs malware.
The website URL in the iPhone popup points to a known rogue site, safeonlinescanv4.com, according to security firm MacAfee’s SiteAdvisor service.
The iPhone 3.0’s push notifications allow messages or alerts to be pushed to the user — incoming IM messages or new e-mails, for example. Apple billed the system as an alternative to battery-draining background processes. NetNewsWire for the iPhone does not offer push notifications. I’ve contacted the developer, NewsGator Technologies, for comment.
Have spammers and spyware frauds found a way to spam iPhones using push notifications? Anyone else seen this?
UPDATE: I asked CoM reader Cangemi what he was doing when the message popped up. Cangemi says he was browsing a folder of links, not any particular site, which was showing a list of headlines from his Sirius radio RSS folder. “I was scrolling through the list at the time it happened, which leads me to believe it was a push notification and could have occurred no matter what I was doing,” he says. In the comments, reader Matt J. reports he got a similar popup while using Safari, which again suggests push.
NewsGator Technologies forwarded an email from NetNewsWire’s lead developer, who also says it looks like a push notification.
He says: “I haven’t seen this before. NetNewsWire doesn’t use the push notification system. But other apps do, and a notification can appear in front of any other app. So I have no way of knowing where this notification came from. Another possibility is that he’d gone to a web page in NetNewsWire that has a JavaScript alert that put up that popup. It would be great to know exactly what pages he’d visited, but I realize it’s hard to find out after-the-fact.”
As Cangemi says, he wasn’t visiting a particular page, but browsing a folder of links. So it looks like push notification is the culprit.
UPDATE 2: In the comments readers Michael Weisman and DerekS say it’s more likely a Javascript alert dialog. “The default buttons on a push notification are ‘Cancel’ and ‘View’ where ‘View’ would launch the pushed-app,” notes DerekS.
“NetNewsWire has an integrated browser for reading stories,” notes Weisman. “This probably was designed to come up when the user navigates away from a page, so it popped up after the user went back to the story list. Also, the push notification system has a ton of security. The whole thing is encrypted, and the user needs to approve an app before it will even send them. There is no way for an app to send malicious notifications without your approval.”
