Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

iOS Malware Found in Hacking Team Leak Exploits “Masque” Flaws

Researchers at FireEye discovered over the past months several attack methods that can be used to target iOS devices. These “Masque attacks” had not been spotted in the wild, but the recent Hacking Team breach revealed that the techniques have been put to use.

Researchers at FireEye discovered over the past months several attack methods that can be used to target iOS devices. These “Masque attacks” had not been spotted in the wild, but the recent Hacking Team breach revealed that the techniques have been put to use.

FireEye has identified several vulnerabilities (CVE-2014-4494, CVE-2015-3722, CVE-2015-3725 and CVE-2015-3725) that can be exploited on iOS devices to replace legitimate apps, collect sensitive data, bypass the operating system’s prompt for trust, hijack traffic, access the data of other apps, and demolish applications. The flaws have been reported to Apple and fixed fully or partially with the release of iOS 8.1.3 and iOS 8.4.

The security firm said it had not seen any Masque attacks in the wild. However, while analyzing the files leaked by hackers from the controversial Italy-based spyware maker Hacking Team, researchers discovered 11 iOS applications that leveraged Masque attack techniques.

The applications are weaponized versions of popular apps such as Facebook, Twitter, WhatsApp, Facebook Messenger, Chrome, Viber, BlackBerry Messenger, Skype, Telegram and VK.

The rogue apps, which come with an extra binary designed for sensitive data exfiltration, can replace the legitimate apps on devices running iOS versions prior to 8.1.3, including non-jailbroken devices. This is possible because the malicious apps have the same bundle identifiers as the genuine apps hosted on the Apple App Store.

FireEye says this is the first case of targeted iOS malware being used against non-jailbroken devices.

“Note that the bundle identifiers are actually configurable by the remote attackers. So for iOS devices above 8.1.3, although the Masque Attack vulnerability has been fixed (apps with the same bundle identifiers cannot replace each other), the attackers can still use a unique bundle identifier to deploy the weaponized app,” FireEye researchers explained in a blog post.

The malicious apps work by using the LC_LOAD_DYLIB command of the MachO format to inject a specially crafted dylib into the genuine application. For each of the apps, the malicious dylib hooks various functions for data theft.

Advertisement. Scroll to continue reading.

Hacking Team is known for its sophisticated surveillance solutions so it’s not surprising that the malicious iOS apps are capable of intercepting a wide range of sensitive information, including voice calls, text messages, browser history, GPS coordinates, contact information, and photos.

While iOS is considered by many to be much more secure than Android, researchers often find serious vulnerabilities in Apple’s mobile operating system.

Vulnerability management company Secunia revealed at the Black Hat security conference in Las Vegas earlier this week that a total of 80 flaws have been identified this year in iOS.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.