Critical iPhone security bug allows hackers to install spy apps without you

The threat was revealed by security firm FireEye at the Black Hat security conference in Las Vegas, after researchers analysed the 400GB of data logs leaked from Hacking Team last month.

“Even if the user has always clicked “Don’t Trust”, iOS still launches that enterprise-signed app directly on calling its URL scheme”, he said. “Because all the bundle identifiers are the same as the genuine apps on App Store, they can directly replace the genuine apps on iOS devices prior 8.1.3”, FireEye said.

The 11 apps that were used by the Hacking Team are as follows: WhatsApp, Twitter, Facebook, Facebook Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype, Telegram, and VK. FireEye, a cybersecurity and malware protection firm, has only identified “Masque” attacks on iPhones, according to Business Insider. The association has worked for a top notch buyers being made of government agencies and the police organizations, which includes infamous American Federal Bureau of Investigation (FBI).

FireEye, a publicly listed US network security company has now uncovered and detailed one of the attacks used by the snoop-ware maker to attack various iOS devices.

If smartphone users browsing the web click on an infected link, the malicious apps can be installed n their devices without their knowledge. That app will look and behave like the real thing – except that hackers will be controlling and monitoring it, and watching what you do on it. Once the app is installed and trusted by a user, it can be used to steal contact and calendar information, photos, video and other data on the compromised device. They are versions of the standard app with extra functionality to exfiltrate sensitive information to remote servers. It also shows why administrators need to restrict installation of iOS applications on corporate owned devices unless the applications are obtained from the official App Store, he said.

Traditional phishing scams involve sending users emails or occasionally text messages which come from hackers or scam artists, but appear – at least at first glance – to come from legitimate businesses or organizations: “This is the IRS”. The recently discovered issue might not affect a large number of users yet, but it has massive potential for hackers because of the way it operates: It fools the iPhone into downloading a malicious app that replicates an actual app on your phone that it then covertly replaces.

“It is a glimpse under the water to see the rest of the iceberg”, Mullis said.

“There is a clear ecosystem at play and I have no doubt that this technique could and will be used by criminal gangs for financial gain”, he said.