Evidence of the Unreasonable Effectiveness of Malware
May 11, 2021
I read “The Fortnite Trial Is Exposing Details About the Biggest iPhone Hack on Record.” I am less interested in the dust up between two giant commercial enterprises than the attempt Apple has made and seems to be making to cope with malware. The write up states:
Apple released emails that show that 128 million users, of which 18 million were in the U.S., downloaded apps containing malware known as XCodeGhost from the App Store.
The data are stale, dating from 2015. Perhaps more current information will emerge. Maybe there will be a chart or two, showing Apple’s progress in fighting malware. There were 4,000 malware delivering or malware infused apps. I don’t know. Details are scarce.
The write up points out:
Apple has always had a good reputation in terms of security. But the company has been reluctant to speak publicly and candidly about specific security incidents. So these emails, which were only released because of discovery in the Epic v. Apple Fortnite trial, are an interesting peek behind the curtain that show a fuller extent of the damage from this hack as well as specifics about how the company handled the hack’s fallout in real time.
Another item of interest was:
Apple also disclosed the apps that included the malicious code, some incredibly popular such as WeChat and the Chinese version of Angry Birds 2.
Some thoughts which crossed my mind.
- There is zero doubt in my mind that these disclosed items of data will encourage and strengthen bad actors’ confidence in the use of malware. It works.
- Apple appears to be trying to deal with malware, but these allegedly accurate factoids indicate that it has not been as successful as some individuals believed. Apple tried and failed, which provides a signal that a well funded, well intentioned outfit can be exploited.
- Malware is the Achilles’ heel for computer users. Apple’s billions cannot prevent clever bad actors from gaining access to devices.
- Data like these bolster comments about American online users loss of trust in their ISPs. (See, for example, “Study Shows Two-Thirds of Americans Don’t Trust Their Internet Service Providers.”
Net net: Malware is unreasonably effective in compromising security. Does this mean that cyber security systems are failing? I would offer this observation, “Sure looks like it in the first degree burns left behind by SolarWinds, Microsoft Exchange Server, et al.”
Stephen E Arnold, May 11, 2021