A popular iOS package tracking app secretly uses a device’s data and processing power as part of a botnet scheme, according to a new report.
The app, “Parcels — Track Your Packages” was first brought to light by developer and 9to5Mac writer Guilherme Rambo. It carries a 4.7-star rating in the App Store and was created by Russian developer Pavel Tisunov.
It’s worth noting that this app should not be confused with the Parcel app, which is highly rated and doesn’t appear to partake in any malicious activities.
Rambo notes that “Parcels — Track Your Packages” begins sending requests to the server immediately after being opened, even if there aren’t any registered packages to track.
But the tricky part happens after that. The server then begins sending back information to the app about packages being tracked by other users. That includes a tracking number, courier details, and other information.
The Parcels app on a specific device will then carry out the tracking itself, sending a request to the courier API or website and relaying the results it gets back to the Parcels servers.
As Rambo points out, “instead of running the work of tracking packages server-side, the app is leveraging the bandwidth, energy and processing power of its users” to carry out its primary task. This is all happening without a user’s consent or even their knowledge.
In other words, the app adds a user’s device to what’s commonly referred to as a botnet.
Botnets are networks of compromised computers that work together as a group to perform various tasks, typically malware- or spam-related.
Rambo points out that the developer likely utilizes this tactic to get around rate-limiting mechanisms used by API vendors. The app also relies on website scraping to get its package data — a practice that isn’t allowed by many websites.
Worryingly, the app could also be used for more nefarious purposes, especially if it gets more popular. It could be used to create DDoS campaigns using its botnet, or it could be exploited by man-in-the-middle attacks because it doesn’t use any security mechanisms on the data it receives.
Of course, it also compromises the privacy of users who are actually having their packages tracked, since those tracking numbers are readily available to any of the app’s users who have a bit of technical know-how.
But even without those privacy or security concerns, Parcels violates Apple’s App Store Review Guidelines by running an unrelated background process. The relevant restriction is located in section 2.4.2 of the App Store guidelines.
Rambo notes that he reported the app to Apple, so it’s likely that it will be pulled in the near future.