Jump to content

Chinese Mobile Ad Library Backdoored to Spy on iOS Devices


Recommended Posts



"FireEye identified 2,846 iOS apps in the Apple App Store running backdoored versions of mobiSage; there have been more than 900 attempts to contact an ad server from which an attacker could remotely send JavaScript commands. As of today, none of those 900 attempts resulted in malicious JavaScript being sent via the backdoor, FireEye said.


The capabilities exist to record audio and screenshots from an iOS device. An attacker could also monitor and upload device and location data, modify files in the app’s data contain, read or reset the app’s keychain, post encrypted data to third-party servers, launch other apps on the device, or side-load third party apps.


FireEye said it notified Apple on Oct. 21, providing it with a complete list of affected apps, and technical details. Wei said the researchers have no confirmation of actions taken by Apple against the apps, which found their way into the App Store.


“All those activities and actions are legitimate under certain circumstances. For example, there are legitimate apps that can record audio. The only difference is that the audio apps are supposed to prompt the user with a clear notification so that the user can say ‘Yes,'” Wei said. “It is probably not so straightforward for the App Store review to identify that these apps can perform these actions secretly in the background.”


In its report, FireEye provides technical details on the backdoor, which is said has two components, one called msageCore, which implements the backdoor functionality and exposes interface to JavaScript. The JavaScript component is called msageJS and it provides execution logic and can trigger the backdoors by invoking interfaces exposed by msageCore, FireEye said.


In these interfaces, FireEye discovered the capabilities in the library such as the ability to capture audio and screenshots and other spying features such as stealing passwords.


“This is a very surprising discovery that an ad library can be distributed so widely and can get a [malicious] app published in the App Store,” Wei said."


Details and links are in the full article here: https://threatpost.com/chinese-mobile-ad-library-backdoored-to-spy-on-ios-devices/115255/#sthash.v0JF31RG.dpuf

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

This topic is now closed to further replies.
  • Create New...