This article was published on August 6, 2015

Hacking Team reverse engineered WhatsApp, Facebook and others to steal your iPhone’s data


Hacking Team reverse engineered WhatsApp, Facebook and others to steal your iPhone’s data

After extensive amounts of Hacking Team’s internal data leaked online recently, researchers have been combing through it to find what kind of attacks the company was using.

One attack, uncovered by FireEye, weaponized apps from the top charts of the App Store including Facebook, WhatsApp, Viber, Google Chrome, Telegram and Skype to steal user data.

Hacking Team modified the apps to hide in plain sight, operating as what appears to be the official apps while silently stealing user data in the background. A library injected into the modified apps can steal the following, according to FireEye:

  • Voice call recording in Skype, Wechat, etc.
  • Text message intercepting in Skype, WhatsApp, Facebook Messenger, etc.
  • Chrome website history
  • Phone call
  • SMS/iMessage content
  • Precise GPS coordinate recording in background
  • Contact information
  • Photos

The modified apps utilized a previously uncovered ‘masque’ attack which made it possible to install a modified app over the top of an official one by prompting the user to install what was seemingly an innocuous app.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

FireEye, which also discovered the attack method, reported it to Apple last year and it was patched in iOS 8.1.3. Today’s news marks the first time we’ve learnt that the attack was being used in the wild.

Even though the masque attack has been patched, meaning that apps can’t overwrite others, an attacker can still modify the bundle identifier to circumvent it and install it alongside any official apps if they can trick the user into installing it.

The attack doesn’t require a jailbroken phone to get in and is as easy as tricking a user into clicking an install link in an email.

This is the first time we’ve seen the attack being leveraged in the real world, by a company that was selling such tools to shady government spy agencies.

If you ever see an install prompt outside the App Store, make sure to say ‘cancel.’

iOS Masque Attack Weaponized: A Real World Look [FireEye]

Image credit: Bloomua / Shutterstock.com

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with