After yesterday’s news that an new variant of XcodeGhost has been found in the wild, we hear from FireEye that another iOS vulnerability, called iBackDoor, has been detected.
We’ve long been concerned about the potential for infected advertisements, that are injected into websites, games and apps via third parties could provide a vehicle for malware distributors. This isn’t a new technique – ninemsn was hit back in 2010 and it wasn’t the first or last victim.
FireEye says the mobiSage library is being exploited to inject malicious code that can be used to
- capture audio and screenshots
- monitor and upload device location
- read/delete/create/modify files in the app’s data container
- read/write/reset the app’s keychain (e.g. app password storage)
- post encrypted data to remote servers
- open URL schemes to identify and launch other apps installed on the device, and
- ‘side-load’ non-App Store apps by prompting the user to click an ‘Install’ button.
FireEye notified Apple of the complete list of affected apps and technical details on 21 October 2015.
Over recent months, I’ve noticed some increasingly annoying behaviour in some ads. Some weeks ago, ads appearing in a game I regularly play began asking for location information. Thankfully, iOS’s security controls intercepted the request and I was able to reject the request, but it points to a broader issue.
Advertising is what pays for many of our ‘free’ apps. The reality is nothing is free. We pay for our apps in three ways – either with money, by exposure to advertising or by giving up some of our personal data. This new exploit uses our desire for a free app and willingness to pay for it through exposure to advertising to steal personal data.
We’re not certain, yet, of the fallout of iBackDoor. The difficulty for Apple is that it’s not apps that are specifically infected, so removing apps from the App Store may not be the answer. The challenge will be to block potentially malicious ads or ad networks. And it will also need to patch the vulnerable code library.