silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,172
Malicious actors leveraging an open source mobile device management (MDM) system have been abusing a legitimate iOS feature to hide legitimate applications and trick victims into using malicious counterparts.
The attacks, first exposed by Talos’ security researchers in July, involved the use of malicious versions of five programs (AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp) that were then deployed onto iOS devices to steal messages.
Given how the enrollment process for the MDM works, the security researchers assumed right from the start that the rogue applications were being installed either via direct access to the compromised devices or through sophisticated social engineering. Each step of the enrollment process required user interaction, Talos discovered.
The security researchers now reveal that the attackers abused the MDM solution to control the victims’ devices and deploy a new profile onto them. Next, the actors leveraged the age rating restriction functionality in iOS to hide the legitimate apps.
The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively, and the actors set the age rating limit to 9-plus. Thus, the legitimate apps would no longer be shown on the device and the victim was only able to access the rogue variants instead.
“The app still exists on the device, however, the user will not be able to interact with it, even if the user searches for the app using the search function on the iOS device. It simply does not open. All mobile device users should be aware of these attack methods as to prevent attackers from gaining control of their phones through an MDM,” Talos explains.
The attacks, first exposed by Talos’ security researchers in July, involved the use of malicious versions of five programs (AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp) that were then deployed onto iOS devices to steal messages.
Given how the enrollment process for the MDM works, the security researchers assumed right from the start that the rogue applications were being installed either via direct access to the compromised devices or through sophisticated social engineering. Each step of the enrollment process required user interaction, Talos discovered.
The security researchers now reveal that the attackers abused the MDM solution to control the victims’ devices and deploy a new profile onto them. Next, the actors leveraged the age rating restriction functionality in iOS to hide the legitimate apps.
The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively, and the actors set the age rating limit to 9-plus. Thus, the legitimate apps would no longer be shown on the device and the victim was only able to access the rogue variants instead.
“The app still exists on the device, however, the user will not be able to interact with it, even if the user searches for the app using the search function on the iOS device. It simply does not open. All mobile device users should be aware of these attack methods as to prevent attackers from gaining control of their phones through an MDM,” Talos explains.
