Skip to main content

Backdoor Found In Popular iOS Ad Library Used By Thousands Of Apps

Mobile security researchers from FireEye recently discovered a backdoor in a popular Chinese ad library used by thousands of apps that were also published on Apple's App Store.

Advertising networks that don't tend to be security conscious seem an easy target for malicious hackers who want to quickly spread their malware to millions of users at once. This practice has been so effective it has even gotten its own name: "malvertising."

According to FireEye, the backdoor could be controlled by loading Javascript code from a remote server to perform the following actions on an iOS device:

Capture audio and screenshotsMonitor and upload device locationRead/delete/create/modify files in the app's data containerRead/write/reset the app's keychain (e.g., app password storage)Post encrypted data to remote serversOpen URL schemes to identify and launch other apps installed on the device“Side-load" non-App Store apps by prompting the user to click an “Install" button

By the looks of it, the attackers could gain virtually complete access over an iOS device simply by compromising the "mobiSage" ad library from the advertising company, adSage. The company has offices in the U.S. and claims it reaches 90 percent of the mobile users in China.

FireEye found the backdoor code in 2,846 iOS apps and in the mobiSage SDK, versions 5.3.3 to 6.4.4. It also found that the backdoor is not present in the latest 7.0.5 version. The company observed 900 attempts to contact a remote server that could deliver Javascript code to control the backdoors.

In their research, FireEye employees couldn't see any malicious command that would trigger the most dangerous capabilities such as capturing audio or stealing sensitive data. However, the capabilities that can do all of that are still in the apps that contain the backdoored code and could be used at any time.

This isn't the first time iOS apps were infected with malware that could bypass even Apple's review process and land in the App Store. The last time, the attackers infected a build of Apple's Xcode in order to further infect the apps that were built with it.

What these latest attacks on iOS apps have in common is that they originate in China and that they happen through infected software developer kits that help spread the infection when the developers use them. This is a type of attack we may see increasingly more often if Apple doesn't take some kind of measure against it or reviews code that is used by thousands of iOS apps much more carefully.

FireEye contacted Apple on October 21, 2015 about this issue and gave it all the technical details and the list of infected applications.


Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.