Skip to main content

Backdoor Found In Popular iOS Ad Library Used By Thousands Of Apps

Mobile security researchers from FireEye recently discovered a backdoor in a popular Chinese ad library used by thousands of apps that were also published on Apple's App Store.

Advertising networks that don't tend to be security conscious seem an easy target for malicious hackers who want to quickly spread their malware to millions of users at once. This practice has been so effective it has even gotten its own name: "malvertising."

According to FireEye, the backdoor could be controlled by loading Javascript code from a remote server to perform the following actions on an iOS device:

Capture audio and screenshotsMonitor and upload device locationRead/delete/create/modify files in the app's data containerRead/write/reset the app's keychain (e.g., app password storage)Post encrypted data to remote serversOpen URL schemes to identify and launch other apps installed on the device“Side-load" non-App Store apps by prompting the user to click an “Install" button

By the looks of it, the attackers could gain virtually complete access over an iOS device simply by compromising the "mobiSage" ad library from the advertising company, adSage. The company has offices in the U.S. and claims it reaches 90 percent of the mobile users in China.

FireEye found the backdoor code in 2,846 iOS apps and in the mobiSage SDK, versions 5.3.3 to 6.4.4. It also found that the backdoor is not present in the latest 7.0.5 version. The company observed 900 attempts to contact a remote server that could deliver Javascript code to control the backdoors.

In their research, FireEye employees couldn't see any malicious command that would trigger the most dangerous capabilities such as capturing audio or stealing sensitive data. However, the capabilities that can do all of that are still in the apps that contain the backdoored code and could be used at any time.

This isn't the first time iOS apps were infected with malware that could bypass even Apple's review process and land in the App Store. The last time, the attackers infected a build of Apple's Xcode in order to further infect the apps that were built with it.

What these latest attacks on iOS apps have in common is that they originate in China and that they happen through infected software developer kits that help spread the infection when the developers use them. This is a type of attack we may see increasingly more often if Apple doesn't take some kind of measure against it or reviews code that is used by thousands of iOS apps much more carefully.

FireEye contacted Apple on October 21, 2015 about this issue and gave it all the technical details and the list of infected applications.

______________________________________________________________________

Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

  • InvalidError
    I bet many Android ad libaries do more than people think they do too. It always makes me nervous when a simple app has a list of permissions two or three pages long for things it shouldn't need.

    Thankfully, with Cyanogen, I can deny or ignore individual permission requests. For things like location services, I can also choose to inject fake data if the app won't take no for an answer.
    Reply
  • royalcrown
    Does chinese malware REALLY surprise anyone ?
    Reply
  • jeremy2020
    This is bullsh*t. Everyone knows Apple products have no security vulnerabilities.
    Reply
  • ScottWLovesYou
    Imagine how the tech press would have covered this if it had been Android. I love how Apple gets hacked so often now, the tech press has started ignoring it.
    Reply
  • Osmin
    The main difference when it comes to security is that an Android device may never get updates to their flawed OS and Apple will have a quick fix sent to all their supported phones with over-the-air updates. I have a Galaxy Note 2 backup phone that never received an update passed Kitkat and I installed Cyanogen to keep a more secure update. I love it when I read about people comparing news coverage like they do in politics. News should be neutral without personal opinions and it is up to the individual reader to make their own opinions based on the facts presented. Any time you read or hear phrases such as "This is shocking", "How can they get away with that", "This is unbelievable", "Something must be done about this" , "What if this had been", or any other phrase that detracts from the facts, it turns the news to propaganda to incite the audience with negative emotions. The main issue here is that the Chinese, frequently with the funding of their government, are trying to steal as much information from others to enhance their spying and military programs. Edward Snowden showed that the United States was spying on the German Chancellors' own cell phone as well as most citizens of the United States. The main difference is that the United States used mostly the telecommunication companies to give them the data with limited use of malware installed on portable devices, while the Chinese are happy to get data from all the sources it can infect. We can not assume privacy anymore on any network connected device because it can be compromised in so many different ways.
    Reply
  • ScottWLovesYou
    Actually, the main difference is Android phones never get hacked. They just get lots of hacking fan fiction written about them by the biased valley press. Meanwhile iPhones actually get hacked. Frequently. Android is much more secure than iOS.


    16904324 said:
    The main difference when it comes to security is that an Android device may never get updates to their flawed OS and Apple will have a quick fix sent to all their supported phones with over-the-air updates. I have a Galaxy Note 2 backup phone that never received an update passed Kitkat and I installed Cyanogen to keep a more secure update. I love it when I read about people comparing news coverage like they do in politics. News should be neutral without personal opinions and it is up to the individual reader to make their own opinions based on the facts presented. Any time you read or hear phrases such as "This is shocking", "How can they get away with that", "This is unbelievable", "Something must be done about this" , "What if this had been", or any other phrase that detracts from the facts, it turns the news to propaganda to incite the audience with negative emotions. The main issue here is that the Chinese, frequently with the funding of their government, are trying to steal as much information from others to enhance their spying and military programs. Edward Snowden showed that the United States was spying on the German Chancellors' own cell phone as well as most citizens of the United States. The main difference is that the United States used mostly the telecommunication companies to give them the data with limited use of malware installed on portable devices, while the Chinese are happy to get data from all the sources it can infect. We can not assume privacy anymore on any network connected device because it can be compromised in so many different ways.

    Reply
  • Ted_1_
    Interesting article, and to the people saying Apple gets hacked more then Android and vice versa... Let's be real, they both have their own weak points and they both get hacked about equally... No need to be so elitist and unrealistic imo..

    https://www.youtube.com/channel/UCijmVN7B2_TF5NqwpE9AwLA
    Reply
  • ScottWLovesYou
    No, they don't. "balance" isn't telling lies to try to make them seem equal. iOS is hacked 8 times more often. In fact, we are still waiting for the first mass Android hacking. There hasn't been one yet. iOS has had 8. 4 of those in the past few months. When Android gets "hacked", it's some proof of concept code that requires 3rd party app installs to be enabled, requires you to install an apk from outside the app store, and requires Google Services Framework to be disabled. That's why Android never actually gets hacked. Stagefright, for example, hacked exactly nobody. Meanwhile there are 3,000 hacked iOS apps on Apple's hacked to pieces App Store right now actively exploiting people according to FireEye. And the biased valley press is ignoring that, instead writing even more Android hacking fan fiction.

    Android gets lots of hacking fan fiction written about it by valley Apple shills in the tech press. iOS actually gets hacked. That's reality. I'm sorry reality doesn't fit with the biased valley narrative.

    16911323 said:
    Interesting article, and to the people saying Apple gets hacked more then Android and vice versa... Let's be real, they both have their own weak points and they both get hacked about equally... No need to be so elitist and unrealistic imo..

    https://www.youtube.com/channel/UCijmVN7B2_TF5NqwpE9AwLA

    Reply