FireEye has recently discovered “backdoored” versions of an ad library embedded in thousands of iOS apps, originally published in the Apple App Store.
The affected versions of this ad library were responsible for embedding backdoors in iOS apps. These apps used the library to display ads, allowing for potential malicious access to sensitive user data and device functionality. The backdoors can be controlled remotely by loading JavaScript code from a remote server to perform a number of actions on an iOS device, such as capturing screenshots, monitoring and uploading the location of a device, modifying files in the app’s data container, posting encrypted data to remote servers, and opening URL schemes to identify and launch other apps installed on the device.
The offending ad library contained data suggesting it to be a version of the mobiSage SDK. Seventeen distinct versions of the backdoored ad library were discovered (version codes 5.3.3 to 6.4.4). However, in the latest mobiSage SDK publicly released by adSage – version 7.0.5 – the backdoors are not present.
It is unclear whether the backdoored versions of the ad library were released by adSage or created and/or compromised by a malicious third party. To date, 2,846 iOS apps containing backdoored versions of the mobiSage SDK have been identified. Among these, there have been over 900 attempts to contact an ad server capable of delivering JavaScript code to control the backdoors.
Through the promotion and installation of “enpublic” apps, the ad library exposes users to additional risks such as the background monitoring of SMS or phone calls, stealing email messages and demolishing arbitrary app installations. Apple has released updates addressing some of the vulnerabilities around these “enpublic” apps.
The use of this ad library highlights the importance of keeping mobile devices secure, as they become more widespread and cyber criminals find innovative ways to target their victims, as evidenced by the fact that these backdoors can be potentially controlled remotely by JavaScript code fetched from the Internet.
Click below to share this article