Hacking Team brewed potent iOS poison for non-jailbroken iThings

Hacking Team compromised non-jailbroken iOS devices using a variant of last year’s Masque Attack, in which Apple devices were infected via emails and text messages.

That's according to a study of the 400GB of documents that were pilfered from the Italian snoop-ware maker's computers by hackers, and leaked online for all to see.

Analysis of the Hacking Team’s advanced mobile attack suite reveals that all major mobile platforms – iOS, Android, Windows Phone, Blackberry, Symbian, etc – were targeted. The company's attack tools try everything possible to infiltrate the victim's device, and enable persistent remote control. Compromised devices under control of Hacking Team’s malware cropped up all over the world, according to security firm FireEye.

Research unveiled by FireEye at the Black Hat conference on Thursday focused on attacks against iOS and Android, the two most popular mobile platforms. Trend Micro previously documented the firm’s attacks against Android gizmos, so it’s the iOS attacks unravelled by FireEye that catch the eye.

An iOS Remote Control System (RCS) agent, designed to hack into jailbroken iOS devices, is among the items that cropped up in the Hacking Team’s arsenal. More surprisingly, other attacks targeting non-jailbroken iOS devices also made an appearance in the Italian firm’s compromised email archive.

The Masque Attack – previously only abused by the infamous WireLurker malware – plays a central role in attempts to hack into regulation (non-jailbroken) iPhones and iPads. The attack takes advantage of a security shortcoming – patched last year – that allows an iOS app with the same file name – regardless of developer – to replace a legitimate app.

The malicious app has to be signed using an enterprise certificate – designed for deploying software across corporations without having to go through the official App Store – and the user has to click through a warning.

Doppelgänger software

A remote control app developed by Hacking Team can download Masque Attack apps from a remote server and have a control panel to configure the malicious behaviour of the installed Masque Attack apps, mainly re-packaged versions of popular social network apps. Doppelgänger versions of Skype, Twitter, Facebook, Facebook Messenger, WhatsApp, Google Chrome, WeChat, Viber, Blackberry Messenger, VK, and Telegram were all in play.

The doctored apps feature an extra binary to exfiltrate sensitive data and communicate with the remote server. Because all the bundle identifiers are the same as the genuine apps on App Store, they can directly replace the genuine apps on iOS devices prior to version 8.1.3 (the version of Apple’s iOS software that fixes the Masque Attack vulnerability).

If installed, the trojanised apps will execute commands and extract data from compromised devices. Masque Attack vulnerabilities are only partially fixed in iOS 8.1.3, however, the fix was enough to block the Hacking Team malware samples that FireEye found. FireEye researchers reported new types of Masque attack vulnerabilities, and the new types were not fixed until iOS 8.4. Although technically possible, the current Hacking Team malware do not exploit these new vulnerabilities.

The assault is one of the most advanced to date against smartphones and tablets, according to FireEye. The security firm reckons the same or similar approaches are likely to be attempted by other capable hacking groups, including intel agencies.

“This is the first truly advanced attack infrastructure using Masque Attack ever seen, and it is a proof point that advanced attackers are finally putting some real rigour behind smartphones, tablets, and Apple products,” FireEye concludes. “The threat landscape of the global mobile security is evolving to a new era, where attackers start to exhaust every possible vulnerability to obtain capabilities and privilege, and they are also trying to evade detections and stealthily control the victim devices persistently.” ®