Hacking Team compromised non-jailbroken iOS devices

Security experts from FireEye demonstrated that Hacking Team leveraged iOS vulnerability to install fake messaging apps implementing a Masque Attack.

Another news related with the leak of the Hacking Team‘s hack, this time it was discovered that Hacking Team was capable of compromising IOS devices, even if they weren’t jailbroken.

To accomplish this, Hacking Team was using a changed version of last year’s Masque Attack, and the devices were infected by text messages or email.

Even if this article is about the IOS devices, it is important to remember that Hacking Team could compromise every major Mobile platform, such iOS, Android, Windows Phone, Blackberry, Symbian.

At the Black Hat 2015 conference, experts from FireEye explained how the Hacking Team was targeting mainly Android and IOS devices.

FireEye explained that normally only jailbroken devices could be exploited by the Remote Control System (RCS) agent, but the experts discovered that even non-jailbroken devices could be exploited using the Mask Attack.

The Masque Attack, was already known and was implemented by the WireLurker malware, where the malware was taking advantage of a flaw that was patched last year.

Basically, an attacker can exploit the flaw by developing a malicious app with the same name of the legitimate one that he intends to replace.

The malicious app has to be signed using a bogus enterprise digital certificate, digitally signed code could allow an attacker to deploy the software across organizations without having to go through the official App Store. In this way, victims have no idea of the ongoing infection because they don’t receive any specific warning.ù

Coming back to the main subject here, the Masque Attack performed by the Hacking Team relies on a remote server to download the malicious copies of legitimate applications. The bogus apps are managed through a control panel by the attackers. Hacking Team was re-packaging popular mobile apps such as Skype, Twitter, Facebook, Facebook Messenger, WhatsApp, Google Chrome, WeChat, Viber, Blackberry Messenger, VK, and Telegram, and more.

During the re-packaging, an extra binary is added, the malicious code allows attackers to exfiltrate sensitive data, and communicate with Hacking Team’s remote server. Since the bundle identifiers were the same as the original apps, it meant that they could replace the original apps on IOS devices ( all IOS versions before IOS 8.1.3).

When installed the fake applications would execute commands and extract data from the devices.

Apple fixed the problem with Masque Attacks in IOS 8.1.3, and from that point on Hacking Team’s efforts to perform the attack were unsuccessful, but FireEye told that new types of Masque attack vulnerabilities were found and current IOS version 8.4 it is still vulnerable to them.

“This is the first truly advanced attack infrastructure using Masque Attack ever seen, and it is a proof point that advanced attackers are finally putting some real rigour behind smartphones, tablets, and Apple products,” “The threat landscape of the global mobile security is evolving to a new era, where attackers start to exhaust every possible vulnerability to obtain capabilities and privilege, and they are also trying to evade detections and stealthily control the victim devices persistently.”  FireEye said.

Edited by Pierluigi Paganini

(Security Affairs – Hacking Team, iOS)