Massive iOS Security Flaw Puts Users at Risk, Hijacks iPhone Communications
Hackers have discovered how to use apps from the top charts of the App Store including WhatsApp, Facebook, Viber, and Skype to steal user data. Bypassing the security mechanism employed by Apple, hackers made sure that a user trusts a malicious app and downloads it, enabling attackers to steal the data silently.
The masque attack hijacks communications, steals data
After the leak of Hacking Team’s internal data in June, security researchers have been busy trying to find out what different techniques were used by the team in its endeavors to hack and spy on its targets. The group has served an elite clientele consisting of government departments and law enforcement agencies, including the notorious US Federal Bureau of Investigation (FBI). Latest information reveals that the iOS vulnerability helped hackers steal data from users by persuading iPhone users into installing malicious apps on their smartphones without their knowledge.
These aren’t the real apps of the services mentioned above but bogus clones replicating the authentic looks of the original apps. Apps, once installed, perform exactly like the real thing but are controlled by hackers giving them all the data (check the image below to see how a repackaged Facebook app demanded for all sorts of permissions) from the user’s iPhone. As mentioned above, bogus apps include malware versions of some top chart apps like Facebook, Twitter and more. Hacking Team modified these apps used and trusted by millions of users, making the clones look like the official apps all the while stealing data in the background. These modified apps utilized a “masque” attack technique which allowed them to install a modified app over the top of the official version by prompting user to install the bogus app.
According to the FireEye, security firm responsible for this discovery, a library injected into the modified apps could steal:
- Photos; contact information; voice call recording in Skype, Viber and other services; text message interception in Skype, WhatsApp, etc; phone calls; SMS / iMessage content; Chrome web history; precise GPS coordinates; login credentials, and much more.
It’s almost like giving your entire data and online life in the hands of the hackers making the service quite useful to the clients, whoever they may have been in this particular case.
This spying method was first discovered by FireEye and reported to Apple last year and was patched in iOS 8.1.3. However, it is only today that we are hearing of this technique being wildly used by the hackers before the patch arrived. While the patch disabled apps from overwriting others, attackers can still modify the bundle identifiers and install these apps alongside the official apps, tricking users into installing them, outside of the App Store.
Bundle identifiers are actually configurable by the remote attackers. So for iOS devices above 8.1.3, although the Masque Attack vulnerability has been fixed (apps with the same bundle identifiers cannot replace each other), the attackers can still use a unique bundle identifier to deploy the weaponized app.
This attack doesn’t require a jailbroken iPhone making all the secure, officially updated smartphones equally vulnerable to the spying technique. While this technique works on all the major mobile operating systems including Android, researchers have only seen the attack being used against iPhone users.
To stay secure, make sure you never tap on Install outside of the App Store environment. These malicious apps aren’t hosted on the official App Store making all the downloads safe inside Apple’s own ecosystem. Users need to be aware of the phishing schemes and not fall for infected web links to stay safe from this kind of targeting.