FireEye discovers backdoor version of ad library in thousands of iOS apps

FireEye mobile researchers recently discovered “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store. The affected versions of this library embedded backdoors in iOS apps that used the library to display ads, allowing for potential malicious access to sensitive user data and device functionality. Over 2,846 iOS apps were identified containing backdoored versions of mobiSage SDK among which over 900 attempt to contact an ad server capable of delivering JavaScript code to control the backdoors. FireEye detected 17 versions of the backdoored ad library.

The threat allows attackers to remotely perform actions like capturing audio and screenshots, monitoring and uploading device location, post encrypted data to remote servers and sideload non-App Store apps. It also allows for reading, deletion, creation or modification of files and read/write/reset of the app’s keychain.

Last month, iOS users were warned of a threat to their devices by the XcodeGhost malware. Even though Apple quickly reacted, taking down infected apps from the App Store and releasing new security features to stop malicious activities the threat of XcodeGhost has maintained persistence and evolved. XcodeGhost is a persistent security risk, its botnet is still partially active, and a variant called XcodeGhost S reveals more advanced samples went undetected.

FireEye has observed 210 enterprises with XcodeGhost-infected applications running inside their networks, generating more than 28,000 attempts to connect to the XcodeGhost Command and Control (CnC) servers -- which, while not under attacker control, are vulnerable to hijacking by threat actors. Germany and the U.S. are the top 2 countries attacked by XGhost mainly in the education and High-Tech industries.

XcodeGhost C2 traffic can hijack C2 traffic to distribute apps outside the App Store, force browse to a URL, aggressively promote any app in the App Store by launching the download page directly and pop-up phishing windows. While most vendors have updated their apps, infected versions of popular apps like WeChat still exist.

Some enterprises have taken steps to block the XcodeGhost DNS query within their network to cut off the communication between employees’ iPhones and the attackers’ C2 servers. However, until these employees update their devices and apps, they are still vulnerable to potential hijacking of the XcodeGhost C2 traffic. Given the number of infected devices detected within a short period among so many U.S enterprises, XcodeGhost continues to be an ongoing threat for enterprises.