Results 1 to 5 of 5
  1. #1
    Newbie DobermanTech's Avatar
    Join Date
    Jul 2019
    Location
    TX
    Posts
    7

    Default Is there really a virus in the Apple App Store?

    When updating apps on an iPhone, I occasionally get the notification pasted below. Is this something to worry about or is something else going on?

    Thanks in advance


    The following event occurred on the Untangle Server @ 2019-07-11 18:55:42.87

    HTTP virus blocked:
    Virus Blocker Lite found virus [Ios.Trojan.FakeTelegram-6736161-0(8b33167fd0f3374c823b0ae7b09924e4:97903196)]
    {url prefix http removed since I don't have 5 posts yet}://iosapps.itunes.apple.com/itunes-assets/Purple113/v4/56/0f/7f/560f7ff4-7c5e-fffb-0254-4f8d72d46813/mzps.5751898295970274213.ipa?accessKey=1562966797_3283085085717157319_%2FtrpmwmPUue9uE3N6zGDJe3ZNsV1Hg5Nznx2O2gTPbkr5ad1fJ32y9UE7%2FewRrldWmHpb8QltJJCg6ntOL0EVJC0Rj63JzNUB%2FbgjnCPyeSWT8L2z8dsXREuukIao1ZW3g2Sc23v%2F3zzcnZ46XpuzTKN0DrlG9bBaabHKnyXlMhvPOtvKNXDt0ji9Ap%2FD5W0[/url]

    Causal Event: VirusHttpEvent
    {
    "timeStamp": "2019-07-11 18:55:42.87",
    "virusName": "Ios.Trojan.FakeTelegram-6736161-0(8b33167fd0f3374c823b0ae7b09924e4:97903196)",
    "appName": "virus_blocker_lite",
    "requestLine": "GET {url prefix http removed since I don't have 5 posts yet}://iosapps.itunes.apple.com/itunes-assets/Purple113/v4/56/0f/7f/560f7ff4-7c5e-fffb-0254-4f8d72d46813/mzps.5751898295970274213.ipa?accessKey=1562966797_3283085085717157319_%2FtrpmwmPUue9uE3N6zGDJe3ZNsV1Hg5Nznx2O2gTPbkr5ad1fJ32y9UE7%2FewRrldWmHpb8QltJJCg6ntOL0EVJC0Rj63JzNUB%2FbgjnCPyeSWT8L2z8dsXREuukIao1ZW3g2Sc23v%2F3zzcnZ46XpuzTKN0DrlG9bBaabHKnyXlMhvPOtvKNXDt0ji9Ap%2FD5W0",
    "clean": false,
    "sessionEvent": {
    "entitled": true,
    "hostname": "removed",
    "CServerPort": 80,
    "protocol": 6,
    "protocolName": "TCP",
    "serverLatitude": 32.7787,
    "localAddr": "/removed",
    "SServerAddr": "/17.253.3.205",
    "remoteAddr": "/17.253.3.205",
    "serverIntf": 201,
    "CClientAddr": "/removed",
    "serverCountry": "US",
    "sessionId": 102356021027952,
    "SClientAddr": "/10.183.0.42",
    "clientCountry": "XL",
    "CClientPort": 56300,
    "policyRuleId": 0,
    "timeStamp": "2019-07-11 18:55:42.844",
    "serverLongitude": -96.8217,
    "clientIntf": 2,
    "policyId": 1,
    "SClientPort": 18841,
    "bypassed": false,
    "SServerPort": 80,
    "CServerAddr": "/17.253.3.205",
    "tagsString": ""
    }
    }
    This is an automated message sent because the event matched the configured Event Rules.

  2. #2
    Newbie DobermanTech's Avatar
    Join Date
    Jul 2019
    Location
    TX
    Posts
    7

    Default

    Here’s another example. In the Apple App Store the “virus” is the Yelp app. Is this a false positive. Any advice or information is appreciated.


    The following event occurred on the Untangle Server @ 2019-07-19 20:37:11.015

    HTTP virus blocked:
    Virus Blocker Lite found virus [Ios.Trojan.FakeTelegram-6736161-0(4bc5ddc5fb21f68029478e08b5de124f:104857600)] {url prefix http removed since I don't have 5 posts yet}://iosapps.itunes.apple.com/itunes-assets/Purple123/v4/9e/cc/1b/9ecc1b47-d878-47d3-6f5d-36fab3bcf7f0/pre-thinned6074452400923972366.thinned.signed.dpkg.ipa?accessKey=1563781029_5662997473619334732_OYJ7gqHIJd2uR10T1TlDImj%2BDhPvoS1DgcX%2FuIb1dsJfUNQVgl5SEIyA8t5SAxydopdUPszCOYmUy7FwAFyX1vlgk1pBqpT6GfpobV8yE823HF3fqiR95QEq%2FiJm9KIWQsC2b9rvpjHMQ11Dnb%2FuKuh44%2Fn6zk%2BnT6Xzcn3IJIPUqQWuG6bknPJQpO6T5y8dz93y6Iat1Jnc9SEyK3B1Sw%3D%3D

    Causal Event: VirusHttpEvent
    {
    "timeStamp": "2019-07-19 20:37:11.015",
    "virusName": "Ios.Trojan.FakeTelegram-6736161-0(4bc5ddc5fb21f68029478e08b5de124f:104857600)",
    "appName": "virus_blocker_lite",
    "requestLine": "GET {url prefix http removed since I don't have 5 posts yet}://iosapps.itunes.apple.com/itunes-assets/Purple123/v4/9e/cc/1b/9ecc1b47-d878-47d3-6f5d-36fab3bcf7f0/pre-thinned6074452400923972366.thinned.signed.dpkg.ipa?accessKey=1563781029_5662997473619334732_OYJ7gqHIJd2uR10T1TlDImj%2BDhPvoS1DgcX%2FuIb1dsJfUNQVgl5SEIyA8t5SAxydopdUPszCOYmUy7FwAFyX1vlgk1pBqpT6GfpobV8yE823HF3fqiR95QEq%2FiJm9KIWQsC2b9rvpjHMQ11Dnb%2FuKuh44%2Fn6zk%2BnT6Xzcn3IJIPUqQWuG6bknPJQpO6T5y8dz93y6Iat1Jnc9SEyK3B1Sw%3D%3D",
    "clean": false,
    "sessionEvent": {
    "entitled": true,
    "hostname": "Removed",
    "CServerPort": 80,
    "protocol": 6,
    "protocolName": "TCP",
    "serverLatitude": 32.7787,
    "localAddr": "/removed",
    "SServerAddr": "/17.253.3.203",
    "remoteAddr": "/17.253.3.203",
    "serverIntf": 201,
    "CClientAddr": "/removed",
    "serverCountry": "US",
    "sessionId": 102356021709589,
    "SClientAddr": "/10.125.0.122",
    "clientCountry": "XL",
    "CClientPort": 51720,
    "policyRuleId": 0,
    "timeStamp": "2019-07-19 20:37:10.988",
    "serverLongitude": -96.8217,
    "clientIntf": 2,
    "policyId": 1,
    "SClientPort": 49916,
    "bypassed": false,
    "SServerPort": 80,
    "CServerAddr": "/17.253.3.203",
    "tagsString": ""
    }
    }

    This is an automated message sent because the event matched the configured Event Rules.

  3. #3
    Master Untangler Sam Graf's Avatar
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    672

    Default

    Hi, and welcome to the forums.

    The open source detection engine behind Virus Blocker Lite has been known to provide some false positives. Obviously it's not an apples to apples comparison—or, rather, apps to apps—but I'm not seeing virus detections under Virus Blocker when updating Apple devices.

    So I can't assure you that you're seeing false positives, but that could be the case.

  4. #4
    Newbie DobermanTech's Avatar
    Join Date
    Jul 2019
    Location
    TX
    Posts
    7

    Default

    Thanks Sam for the reply. It does seem to happen randomly and not all that often, so I’ll leave everything as is for now and continue to monitor.

  5. #5
    Master Untangler Sam Graf's Avatar
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    672

    Default

    That seems reasonable.

    I'm wondering if you could use Web Monitor (if you're trying to stick with the free product) as a parallel, separate check. I know some Untangle users rely solely on Web Filter for perimeter virus protection. Web Monitor, as I understand it, lacks the protection features of Web Filter but will log violations, just as Web Filter would.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2