iOS Malware Found in Hacking Team Leak Exploits “Masque” Flaws

Researchers at FireEye discovered over the past months several attack methods that can be used to target iOS devices. These “Masque attacks” had not been spotted in the wild, but the recent Hacking Team breach revealed that the techniques have been put to use.

FireEye has identified several vulnerabilities (CVE-2014-4494, CVE-2015-3722, CVE-2015-3725 and CVE-2015-3725) that can be exploited on iOS devices to replace legitimate apps, collect sensitive data, bypass the operating system’s prompt for trust, hijack traffic, access the data of other apps, and demolish applications. The flaws have been reported to Apple and fixed fully or partially with the release of iOS 8.1.3 and iOS 8.4.

The security firm said it had not seen any Masque attacks in the wild. However, while analyzing the files leaked by hackers from the controversial Italy-based spyware maker Hacking Team, researchers discovered 11 iOS applications that leveraged Masque attack techniques.

The applications are weaponized versions of popular apps such as Facebook, Twitter, WhatsApp, Facebook Messenger, Chrome, Viber, BlackBerry Messenger, Skype, Telegram and VK.

The rogue apps, which come with an extra binary designed for sensitive data exfiltration, can replace the legitimate apps on devices running iOS versions prior to 8.1.3, including non-jailbroken devices. This is possible because the malicious apps have the same bundle identifiers as the genuine apps hosted on the Apple App Store.

FireEye says this is the first case of targeted iOS malware being used against non-jailbroken devices.

“Note that the bundle identifiers are actually configurable by the remote attackers. So for iOS devices above 8.1.3, although the Masque Attack vulnerability has been fixed (apps with the same bundle identifiers cannot replace each other), the attackers can still use a unique bundle identifier to deploy the weaponized app,” FireEye researchers explained in a blog post.

The malicious apps work by using the LC_LOAD_DYLIB command of the MachO format to inject a specially crafted dylib into the genuine application. For each of the apps, the malicious dylib hooks various functions for data theft.

Hacking Team is known for its sophisticated surveillance solutions so it’s not surprising that the malicious iOS apps are capable of intercepting a wide range of sensitive information, including voice calls, text messages, browser history, GPS coordinates, contact information, and photos.

While iOS is considered by many to be much more secure than Android, researchers often find serious vulnerabilities in Apple’s mobile operating system.

Vulnerability management company Secunia revealed at the Black Hat security conference in Las Vegas earlier this week that a total of 80 flaws have been identified this year in iOS.