Security experts have found what they claim to be the first targeted malware used against non-jailbroken iOS devices, after pouring through the recently disclosed trove of Hacking Team data.
FireEye researchers said that in the 400GB data dump recently uploaded to the web they found 11 malicious apps masquerading as some of the most popular applications in the world including Skype, Twitter, Facebook, and WhatsApp.
They added:
“Unlike the normal versions of these apps, they come with an extra binary designed to exfiltrate sensitive data and communicate with a remote server. Because all the bundle identifiers are the same as the genuine apps on App Store, they can directly replace the genuine apps on iOS devices prior 8.1.3.
Note that the bundle identifiers are actually configurable by the remote attackers. So for iOS devices above 8.1.3, although the Masque Attack vulnerability has been fixed (apps with the same bundle identifiers cannot replace each other), the attackers can still use a unique bundle identifier to deploy the weaponized app.”
Information that could be stolen by the apps includes voice call recordings, text messages, Chrome web history, phone calls, GPS coordinates and photos.
However, data will only be lifted from the device after its IMEI number has been uploaded to a remote server and then checked to see if it’s of interest.
FireEye urged users to upgrade to the latest version of iOS immediately and “to pay close attention to the avenues that they download their apps.”
The Masque Attack was first discovered last November, with FireEye warning that it’s tricky for mobile device management software to tell the difference between a malicious app and the original version as they use the same bundle identifier.
It also claimed Masque Attacks could in theory be used to bypass sandboxing and get root privileges by attacking known iOS vulnerabilities.