According to the researchers, thousands of iOS Apps which are vetted by the Apple security team and listed on Apple App Store contain such a backdoor. The malicious Apps have a potential “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store according to the researchers. The startling fact discovered by researchers is that the ‘potential’ backdoor could have been controlled remotely by hackers by loading JavaScript code from a remote server to perform the following actions on an iOS device:
Capture audio and screenshots Monitor and upload device location Read/delete/create/modify files in the app’s data container Read/write/reset the app’s keychain (e.g., app password storage) Post encrypted data to remote servers Open URL schemes to identify and launch other apps installed on the device “Side-load” non-App Store apps by prompting the user to click an “Install” button
There researchers found that the offending ad library is a version of the mobiSage SDK. They found 17 distinct versions of the potentially backdoored ad library: version codes 5.3.3 to 6.4.4. However, in the latest mobiSage SDK publicly released by adSage – version 7.0.5 – the potential backdoors are not present. It is unclear whether the potentially backdoored versions of the ad library were released by adSage or if they were created and/or compromised by a malicious third party. As of November 4, FireEye researchers have identified 2,846 iOS apps containing the potentially backdoored versions of mobiSage SDK. The researchers also found more than 900 attempts to contact an ad adSage server capable of delivering JavaScript code to control the backdoors. FireEye says that they have informed Apple of the complete list of affected apps and technical details on October 21, 2015. The researchers did not find the flawed Apps being exploited in the wild however they noted that in the wrong hands, malicious JavaScript code that triggers the potential backdoors could be posted to eventually be downloaded and executed by affected apps.