A massive security bug lets criminals hack iPhones — even if they aren’t

All those of you smug iOS users who thought that the security wall of their i-devices was impregnable, (though one Jennifer Lawrence would disagree) here’s a rude wake up call.

Sifting through data from the Hacking Team leak, FireEye researchers have discovered that the Italian-based cyber-intrusion company has found a way to utilize masquee attacks in real-world scenarios. This information was only obtained after FireEye, a security firm, examined more than 400 GB of corporate data that had been leaked during a security breach of a firm that had been collaborating with various governments and intelligence services.

Even though the masque attack has been patched, meaning that apps can’t overwrite others, an attacker can still modify the bundle identifier to circumvent it and install it alongside any official apps if they can trick the user into installing it.

As the bundle IDs of the falsified, and compromised, applications were the same as genuine versions they could directly replace apps on iOS devices prior to 8.1.3.

The 11 apps that were used by the Hacking Team are as follows: WhatsApp, Twitter, Facebook, Facebook Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype, Telegram, and VK.

In total, FireEye reports to having identified eleven distinct iOS applications using such masque attacks.

Its customer list includes the US Federal Bureau of Investigation (FBI) and UK National Crime Agency (NCA).

According to research carried out by FireEye, the flaw is being actively used against iPhone and iPad users.

The malware apps are only installed if you click an infected link on your phone.

If you ever see an install prompt outside the App Store, make sure to say ‘cancel.’. “It could look identical to the standard app but have extra functionality”, Mullis said. Once the app is installed and trusted by a user, it can be used to steal contact and calendar information, photos, video and other data on the compromised device. Bypassing the security mechanism employed by Apple, hackers made sure that a user trusts a malicious app and downloads it, enabling attackers to steal the data silently. The app store for iOS operated smartphone is massive in scale and scope.

Traditional phishing scams involve sending users emails or occasionally text messages which come from hackers or scam artists, but appear – at least at first glance – to come from legitimate businesses or organizations: “This is the IRS”. To realize the potential of our handheld smartphones, we need applications or apps as they are called.

The company’s attack tools try everything possible to infiltrate the victim’s device, and enable persistent remote control.