Researchers discover a backdoor in 2846 iOS Apps which can allow full access to hackers

FireEye researchers have discovered that thousands of Apps listed on Apple App Store have a backdoor which can allow malicious actors access to sensitive user data and device functionality. The research was conducted a team of security researchers from FireEye comprising of  Zhaofeng Chen, Adrian Mettler, Peter Gilbert  and Yong Kang which is published on its website today.

According to the researchers, thousands of iOS Apps which are vetted by the Apple security team and listed on Apple App Store contain such a backdoor. The malicious Apps have a potential “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store according to the researchers.

The startling fact discovered by researchers is that the ‘potential’ backdoor could have been controlled remotely by hackers by loading JavaScript code from a remote server to perform the following actions on an iOS device:

  • Capture audio and screenshots
  • Monitor and upload device location
  • Read/delete/create/modify files in the app’s data container
  • Read/write/reset the app’s keychain (e.g., app password storage)
  • Post encrypted data to remote servers
  • Open URL schemes to identify and launch other apps installed on the device
  • “Side-load” non-App Store apps by prompting the user to click an “Install” button

There researchers found that the offending ad library is a version of the mobiSage SDK. They found 17 distinct versions of the potentially backdoored ad library: version codes 5.3.3 to 6.4.4. However, in the latest mobiSage SDK publicly released by adSage – version 7.0.5 – the potential backdoors are not present. It is unclear whether the potentially backdoored versions of the ad library were released by adSage or if they were created and/or compromised by a malicious third party.

As of November 4, FireEye researchers have identified 2,846 iOS apps containing the potentially backdoored versions of mobiSage SDK.  The researchers also found more than 900 attempts to contact an ad adSage server capable of delivering JavaScript code to control the backdoors.

FireEye says that they have informed Apple of the complete list of affected apps and technical details on October 21, 2015.

The researchers did not find the flawed Apps being exploited in the wild however they noted that in the wrong hands, malicious JavaScript code that triggers the potential backdoors could be posted to eventually be downloaded and executed by affected apps.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here