As anyone who has suffered from insomnia knows, sometimes it can be hard to switch off. Such was the case with Apple iOS 8.4 and prior versions which had a vulnerability that enabled a malicious program to continue running even after it had been terminated by the user in task switcher.
According to FireEye, which discovered the vulnerability, Ins0mnia meant that an app could continue to run, draining power and even exfiltrating data, by switching on a debug flag. In debugging mode, the app would appear to have shut down but would in fact still be running.
The vulnerability has reportedly been fixed in iOS 8.4.1, released 13 August 2015.
Normally when a user presses the home button on the iPhone, an app goes into the background where it is subject to strict limitations. Double clicking on the home button opens task switcher which enables a user to change from one app to another or, by swiping upward, shut down an app altogether.
According to FireEye, “To fool iOS, a malicious application could leverage ptrace, and utilise the ptrace code that handled the PT_TRACE_ME request to set the flag P_LTRACED and gracefully return 0. By setting the P_LTRACED flag, the application prevented the assertiond process from suspending the malicious application. Note that PT_TRACE_ME was a request made by the traced process to declare that it expected to be traced by its parent.”
The vulnerability was discovered by researchers Alessandro Reina, Mattia Pagnozzi and Stefano Bianchi Mazzone.
They believe that malware based on Ins0mnia was very difficult to spot and would likely have passed the Apple Store review.
“We also noticed that an application did not need the get-task-allow entitlement to be set to true, nor did it need any other special entitlements or background modes. Unlike other known iOS malware that runs only on jailbroken devices, or must be distributed with Apple Enterprise Certificates, a hypothetical Ins0mnia malware didn't require anything not allowed by Apple. We believe that such an application had a high probability of passing the Apple Store review, making it a rare loophole for an attacker to distribute malware within Apple's walled garden,” the researchers wrote.
More details of the exploit can be found on their blog.