Hackers have figured out how to persuade iPhone users to install malicious apps on their iPhones without their knowledge.
The apps may look and perform like the real thing, but they're controlled by hackers. The installations occur when users unwittingly click on web links that trigger the downloads.
Bogus apps include malware versions of Twitter, Facebook, WhatsApp. FireEye global technical lead Simon Mullis reported the “Masque” attack in an interview. “The most recent version of the Masque attack uses a technique called ‘URL Scheme Hijacking.’ The attacker is initially able to bypass the mechanism used by Apple to ensure that a user trusts an app that is being installed,” he said. The attacks work by duping smartphone users into installing the malicious apps without their knowledge.
If a user clicks on an infected link while browsing the web, then Masque can download an app onto an iPhone without the users knowing. That app will look and behave like the real thing — except that hackers will be controlling and monitoring it, and watching what you do on it. The problem is that the downloads occur without the user seeing them.
“If you can be tricked into clicking on a link on your phone to install an application then any of your apps could be replaced with a malicious version. It could look identical to the standard app but have extra functionality,” Mullis said. “Once installed, the new malicious application can hijack the communications used by legitimate apps and steal information, such as login credentials.”
The malicious apps are not hosted on Apple's official App Store, so downloads from there are safe. The attacks only work if the user clicks on an infected web link. Users that do not fall for phishing schemes should be safe. In theory, the technique works on all major mobile operating systems including iOS and Android. But so far, FireEye has only seen the attack used against iPhone users.
The vulnerability was discovered by hackers from information stolen from web security firm Hacking Team, according to researchers at FireEye. Hacking Team creates digital surveillance tools for government departments and law enforcement agencies. Its customer list includes the US Federal Bureau of Investigation (FBI) and UK National Crime Agency (NCA). The breach occurred in June when a group of hackers broke into its network and leaked 400GB of data, allegedly stolen from it.
Experts have reached out to the companies involved for comment on FireEye’s findings and advice how users can protect themselves. Mullis said FireEye has already discovered malicious versions of several popular legitimate apps targeting smartphone users in the wild. “Imagine a malicious version of a taxi application that always calls a driver who is working with the bad guys; an Instant Messenger app that automatically uploads private messages, photos and GPS locations to a remote server,” he said.
“We have found examples of many well-known apps have been repackaged in this way: Twitter, Facebook, WhatsApp, Viber, Skype and others. They are versions of the standard app with extra functionality to exfiltrate sensitive information to remote servers. We have found these applications in use in the wild.” The attacks are currently have a "small" undisclosed number of victims. Mullis said he expects to see the attacks expand their target-base in the near future. “There is a clear ecosystem at play and I have no doubt that this technique could and will be used by criminal gangs for financial gain,” he said.