Cybercriminals crack open security on Apple devices.

News by Rene Millman

Hackers have discovered a way of attacking iOS devices, allowing the installation of malware using compromised versions of popular apps. Vulnerability affects non-jailbroken devices

According to research carried out by FireEye, the flaw is being actively used against iPhone and iPad users. FireEye trawled through leaked data from IT security company Hacking Team to find out what kind of hacks the company was deploying. “FireEye has recently uncovered 11 iOS apps within the Hacking Team's arsenals that utilise Masque Attacks, marking the first instance of targeted iOS malware being used against non-jailbroken iOS devices,” said FireEye senior research scientist engineer Zhaofeng Chen on the company's blog.

The firm said the attack was one of the most advanced it had seen. This particular attack weaponised popular apps such as Facebook, WhatsApp, Viber, Google Chrome, Telegram and Skype to steal data from users. According to FireEye, these modified apps came with an extra binary designed to exfiltrate sensitive data and communicate with a remote server. As the bundle identifiers are the same as the genuine apps on App Store, they can directly replace the genuine apps on iOS devices prior to iOS 8.1.3.

The attack didn't need users to jailbreak their phones, just sending an installation link in an email would be enough for the attack to be successful. The data was slurped up by the attack and sent back to remote servers including voice call recordings in Skype and Wechat, Chrome browser history logs, text messages sent in iMessage, Skype, WhatsApp and Facebook messenger, as well as GPS coordinates, contacts and photos.

The modified apps used the previously discovered “masque attack”, also used by the WireLurker malware, which made it possible to install a hacked app in place of an official one. The user would be completely unaware that the app was altered by hackers. FireEye has previously warned that such attacks exist. 

FireEye said that all iOS users need to update their devices to the latest version and pay close attention to how they download apps. Troy Gill, GEPN, manager of Security Research at AppRiver, told that this hack was quite simple in its execution and could be very effective for cyber-criminals.

“Cybercriminals have traditionally gone where the numbers are so by that token the IOS platform becomes more attractive to them as it gains popularity across the globe,” he said. “Most of the mobile malware that we have seen to da te has been designed to target Android devices and there are two main reasons for this. Android has the largest number of users and the most open platform. However, this attack proves once again that no system is immune. When vulnerabilities like this exist in any popular OS and hackers know about them.. it is only a matter of time before they are exploited.”

He added that how widespread this will be will be is partly based on how much bandwidth the bad guys put behind the effort (since they need to get users to visit a URL in order to exploit this vulnerability) and how many devices are currently in use that are on older (prior to 8.1.3) unpatched versions of IOS.

Gill said all users should keep their devices up to date with the latest versions of the iOS, additionally this goes for all firmware/software. “Since vulnerabilities are often discovered  and patched a simple update can determine whether you fall victim or not. Also, every organisation's security training should include reminders about safe browsing and identifying suspicious links,” he added.

Separately, researchers from Dell Secure Works have discovered a Chinese hacking group known as  Emissary Panda or TG-3390that has laid around 100 “traps” worldwide to steal data from several high-profile targets, such as embassies, energy companies and non-governmental organisations (NGOs), particularly those focused on international relations and defence.

"The group extensively uses long-running strategic web compromises, and relies on whitelists to deliver payloads to select victims," Dell Secure Works said in a blog post.

"After the initial compromise, TG-3390 delivers the HttpBrowser backdoor to its victims. The threat actors then move quickly to compromise Microsoft Exchange servers and to gain complete control of the target environment.”

"The threat actors are adept at identifying key data stores and selectively exfiltrating all of the high-value information associated with their goal."

Despite the threat, Dell Secure Works said there are still many opportunities to detect and disrupt its operation by studying its modus operandi. “The threat actors work to overcome existing security controls, or those put in place during an engagement, to complete their mission of exfiltrating intellectual property. Due to TG-3390's determination, organisations should formulate a solid eviction plan before engaging with the threat actors to prevent them from re-entering the network.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews