One attack, uncovered by FireEye, weaponized apps from the top charts of the App Store including Facebook, WhatsApp, Viber, Google Chrome, Telegram and Skype to steal user data.
Hacking Team modified the apps to hide in plain sight, operating as what appears to be the official apps while silently stealing user data in the background. A library injected into the modified apps can steal the following, according to FireEye:
Voice call recording in Skype, Wechat, etc.
Text message intercepting in Skype, WhatsApp, Facebook Messenger, etc.
FireEye, which also discovered the attack method, reported it to Apple last year and it was patched in iOS 8.1.3. Today’s news marks the first time we’ve learnt that the attack was being used in the wild.
Even though the masque attack has been patched, meaning that apps can’t overwrite others, an attacker can still modify the bundle identifier to circumvent it and install it alongside any official apps if they can trick the user into installing it.
The attack doesn’t require a jailbroken phone to get in and is as easy as tricking a user into clicking an install link in an email.
This is the first time we’ve seen the attack being leveraged in the real world, by a company that was selling such tools to shady government spy agencies.
If you ever see an install prompt outside the App Store, make sure to say ‘cancel.’