Researchers at FireEye discovered over the past months several attack methods that can be used to target iOS devices. These “Masque attacks” had not been spotted in the wild, but the recent Hacking Team breach revealed that the techniques have been put to use.
FireEye has identified several vulnerabilities (CVE-2014-4494, CVE-2015-3722, CVE-2015-3725 and CVE-2015-3725) that can be exploited on iOS devices to replace legitimate apps, collect sensitive data, bypass the operating system’s prompt for trust, hijack traffic, access the data of other apps, and demolish applications. The flaws have been reported to Apple and fixed fully or partially with the release of iOS 8.1.3 and iOS 8.4.
The security firm said it had not seen any Masque attacks in the wild. However, while analyzing the files leaked by hackers from the controversial Italy-based spyware maker Hacking Team, researchers discovered 11 iOS applications that leveraged Masque attack techniques.
The applications are weaponized versions of popular apps such as Facebook, Twitter, WhatsApp, Facebook Messenger, Chrome, Viber, BlackBerry Messenger, Skype, Telegram and VK.
The rogue apps, which come with an extra binary designed for sensitive data exfiltration, can replace the legitimate apps on devices running iOS versions prior to 8.1.3, including non-jailbroken devices. This is possible because the malicious apps have the same bundle identifiers as the genuine apps hosted on the Apple App Store.
FireEye says this is the first case of targeted iOS malware being used against non-jailbroken devices.
“Note that the bundle identifiers are actually configurable by the remote attackers. So for iOS devices above 8.1.3, although the Masque Attack vulnerability has been fixed (apps with the same bundle identifiers cannot replace each other), the attackers can still use a unique bundle identifier to deploy the weaponized app,” FireEye researchers explained in a blog post.
The malicious apps work by using the LC_LOAD_DYLIB command of the MachO format to inject a specially crafted dylib into the genuine application. For each of the apps, the malicious dylib hooks various functions for data theft.
Hacking Team is known for its sophisticated surveillance solutions so it’s not surprising that the malicious iOS apps are capable of intercepting a wide range of sensitive information, including voice calls, text messages, browser history, GPS coordinates, contact information, and photos.
While iOS is considered by many to be much more secure than Android, researchers often find serious vulnerabilities in Apple’s mobile operating system.
Vulnerability management company Secunia revealed at the Black Hat security conference in Las Vegas earlier this week that a total of 80 flaws have been identified this year in iOS.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
Latest News
- Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT
- Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App
- LeapXpert Banks $22M Funding to Secure Corporate Messaging With Consumer Apps
- Blockchain Security Firm True I/O Raises $9 Million
- Spera Banks $10 Million to Tackle Identity and Access Sprawl
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- New Wi-Fi Attack Allows Traffic Interception, Security Bypass
