Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

iOS Malware Found in Hacking Team Leak Exploits “Masque” Flaws

Researchers at FireEye discovered over the past months several attack methods that can be used to target iOS devices. These “Masque attacks” had not been spotted in the wild, but the recent Hacking Team breach revealed that the techniques have been put to use.

Researchers at FireEye discovered over the past months several attack methods that can be used to target iOS devices. These “Masque attacks” had not been spotted in the wild, but the recent Hacking Team breach revealed that the techniques have been put to use.

FireEye has identified several vulnerabilities (CVE-2014-4494, CVE-2015-3722, CVE-2015-3725 and CVE-2015-3725) that can be exploited on iOS devices to replace legitimate apps, collect sensitive data, bypass the operating system’s prompt for trust, hijack traffic, access the data of other apps, and demolish applications. The flaws have been reported to Apple and fixed fully or partially with the release of iOS 8.1.3 and iOS 8.4.

The security firm said it had not seen any Masque attacks in the wild. However, while analyzing the files leaked by hackers from the controversial Italy-based spyware maker Hacking Team, researchers discovered 11 iOS applications that leveraged Masque attack techniques.

The applications are weaponized versions of popular apps such as Facebook, Twitter, WhatsApp, Facebook Messenger, Chrome, Viber, BlackBerry Messenger, Skype, Telegram and VK.

The rogue apps, which come with an extra binary designed for sensitive data exfiltration, can replace the legitimate apps on devices running iOS versions prior to 8.1.3, including non-jailbroken devices. This is possible because the malicious apps have the same bundle identifiers as the genuine apps hosted on the Apple App Store.

FireEye says this is the first case of targeted iOS malware being used against non-jailbroken devices.

“Note that the bundle identifiers are actually configurable by the remote attackers. So for iOS devices above 8.1.3, although the Masque Attack vulnerability has been fixed (apps with the same bundle identifiers cannot replace each other), the attackers can still use a unique bundle identifier to deploy the weaponized app,” FireEye researchers explained in a blog post.

The malicious apps work by using the LC_LOAD_DYLIB command of the MachO format to inject a specially crafted dylib into the genuine application. For each of the apps, the malicious dylib hooks various functions for data theft.

Hacking Team is known for its sophisticated surveillance solutions so it’s not surprising that the malicious iOS apps are capable of intercepting a wide range of sensitive information, including voice calls, text messages, browser history, GPS coordinates, contact information, and photos.

While iOS is considered by many to be much more secure than Android, researchers often find serious vulnerabilities in Apple’s mobile operating system.

Vulnerability management company Secunia revealed at the Black Hat security conference in Las Vegas earlier this week that a total of 80 flaws have been identified this year in iOS.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.