After extensive amounts of Hacking Team’s internal data leaked online recently, researchers have been combing through it to find what kind of attacks the company was using.
Hacking Team modified the apps to hide in plain sight, operating as what appears to be the official apps while silently stealing user data in the background. A library injected into the modified apps can steal the following, according to FireEye:
- Voice call recording in Skype, Wechat, etc.
- Text message intercepting in Skype, WhatsApp, Facebook Messenger, etc.
- Chrome website history
- Phone call
- SMS/iMessage content
- Precise GPS coordinate recording in background
- Contact information
The modified apps utilized a previously uncovered ‘masque’ attack which made it possible to install a modified app over the top of an official one by prompting the user to install what was seemingly an innocuous app.
FireEye, which also discovered the attack method, reported it to Apple last year and it was patched in iOS 8.1.3. Today’s news marks the first time we’ve learnt that the attack was being used in the wild.
Even though the masque attack has been patched, meaning that apps can’t overwrite others, an attacker can still modify the bundle identifier to circumvent it and install it alongside any official apps if they can trick the user into installing it.
The attack doesn’t require a jailbroken phone to get in and is as easy as tricking a user into clicking an install link in an email.
This is the first time we’ve seen the attack being leveraged in the real world, by a company that was selling such tools to shady government spy agencies.
If you ever see an install prompt outside the App Store, make sure to say ‘cancel.’
➤ iOS Masque Attack Weaponized: A Real World Look [FireEye]