iBackDoor – infected ads may make iOS vulnerable

Anthony Caruana
5 November, 2015
View more articles fromthe author

After yesterday’s news that an new variant of XcodeGhost has been found in the wild, we hear from FireEye that another iOS vulnerability, called iBackDoor, has been detected.

iOS-8-apple-security-macworld-australiaWe’ve long been concerned about the potential for infected advertisements, that are injected into websites, games and apps via third parties could provide a vehicle for malware distributors. This isn’t a new technique – ninemsn was hit back in 2010 and it wasn’t the first or last victim.

FireEye says the mobiSage library is being exploited to inject malicious code that can be used to

  • capture audio and screenshots
  • monitor and upload device location
  • read/delete/create/modify files in the app’s data container
  • read/write/reset the app’s keychain (e.g. app password storage)
  • post encrypted data to remote servers
  • open URL schemes to identify and launch other apps installed on the device, and
  • ‘side-load’ non-App Store apps by prompting the user to click an ‘Install’ button.

FireEye’s mobile researchers claim to have discovered potentially backdoored versions of the ad library embedded in thousands of iOS apps originally published in the Apple App Store. They have observed more than 900 attempts to contact an adSage server capable of delivering JavaScript code to control the backdoors.

FireEye notified Apple of the complete list of affected apps and technical details on 21 October 2015.

The good news is FireEye has not observed the ad server deliver any malicious commands intended to trigger the most sensitive capabilities, such as recording audio or stealing sensitive data, affected apps periodically contact the server to check for new JavaScript code.

Over recent months, I’ve noticed some increasingly annoying behaviour in some ads. Some weeks ago, ads appearing in a game I regularly play began asking for location information. Thankfully, iOS’s security controls intercepted the request and I was able to reject the request, but it points to a broader issue.

Advertising is what pays for many of our ‘free’ apps. The reality is nothing is free. We pay for our apps in three ways – either with money, by exposure to advertising or by giving up some of our personal data. This new exploit uses our desire for a free app and willingness to pay for it through exposure to advertising to steal personal data.

We’re not certain, yet, of the fallout of iBackDoor. The difficulty for Apple is that it’s not apps that are specifically infected, so removing apps from the App Store may not be the answer. The challenge will be to block potentially malicious ads or ad networks. And it will also need to patch the vulnerable code library.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us