Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Attackers Abuse Age Restrictions to Hide Apps on iOS Devices

Malicious actors leveraging an open source mobile device management (MDM) system have been abusing a legitimate iOS feature to hide legitimate applications and trick victims into using malicious counterparts.

Malicious actors leveraging an open source mobile device management (MDM) system have been abusing a legitimate iOS feature to hide legitimate applications and trick victims into using malicious counterparts.

The attacks, first exposed by Talos’ security researchers in July, involved the use of malicious versions of five programs (AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp) that were then deployed onto iOS devices to steal messages.

Given how the enrollment process for the MDM works, the security researchers assumed right from the start that the rogue applications were being installed either via direct access to the compromised devices or through sophisticated social engineering. Each step of the enrollment process required user interaction, Talos discovered.

The security researchers now reveal that the attackers abused the MDM solution to control the victims’ devices and deploy a new profile onto them. Next, the actors leveraged the age rating restriction functionality in iOS to hide the legitimate apps.

The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively, and the actors set the age rating limit to 9-plus. Thus, the legitimate apps would no longer be shown on the device and the victim was only able to access the rogue variants instead.

“The app still exists on the device, however, the user will not be able to interact with it, even if the user searches for the app using the search function on the iOS device. It simply does not open. All mobile device users should be aware of these attack methods as to prevent attackers from gaining control of their phones through an MDM,” Talos explains.

iOS supports the configuring of devices using profiles, and the MDM enrollment mechanism too is performed using a profile. Such profiles are easy to create and Apple even offers an official tool for that. These apps allow for the restriction of app usage, but the app restriction is usually limited to the supervised device.

The iPhones impacted by these attacks, however, were not in supervised mode. Instead, the attackers abused the age rating to forbid the usage of apps rated for ages 9 and above. Thus, the apps remained on the device but could no longer be accessed.

“Once this profile is installed on the iOS device, the applications restricted by the age rating stay installed, but can no longer be used or accessed, and the icon disappears from the device springboard,” Talos explains.

The profile can be installed manually via Apple Configurator, or by opening the profile XML from Safari. Once that happens, a new entry appears in the Settings > General > Profile menu. However, if the MDM deploys the profile, it does not appear there (the MDM enrollment profile will be present).

“It’s important to note here that there is no malicious malware, vulnerability or zero-day used to enroll the phone within the MDM. It is a legitimate method of device administration that is used within enterprises throughout the world. The attacker has merely leveraged this process,” the researchers note.

Users can head to Settings > General > Profiles & Device Management > [MDM configuration] on their iOS devices to view information about the restrictions and applications set/installed by MDM profiles. If no Profiles & Device Management menu is available, the device is not enrolled.

Related: Attackers Target iPhones Using Open Source MDM Solution

Related: Apple Boosts Security in iOS 12, macOS Mojave

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...