Hackers are using a leaked Hacking Team vulnerability to spy on iPhone users, according to researchers at FireEye.
FireEye global technical lead Simon Mullis reported the “Masque” attack in an interview with Business Insider.
“The most recent version of the Masque attack uses a technique called ‘URL Scheme Hijacking.’ The attacker is initially able to bypass the mechanism used by Apple to ensure that a user trusts an app that is being installed,” he said.
The technique used in the attacks was leaked during the Hacking Team data breach. Hacking Team is a software company that creates digital surveillance tools for government departments and law enforcement agencies.
Its customer list includes the US Federal Bureau of Investigation (FBI) and UK National Crime Agency (NCA). The breach occurred in June when a group of hackers broke into its network and leaked 400GB of data, allegedly stolen from it.
The attacks work by duping smartphone users into installing the malicious apps that are not hosted on official stores using infected web links. “If you can be tricked into clicking on a link on your phone to install an application then any of your apps could be replaced with a malicious version. It could look identical to the standard app but have extra functionality,” Mullis said.
“Once installed, the new malicious application can hijack the communications used by legitimate apps and steal information, such as login credentials.”
The attacks only work if the user clicks on the infected link. Users that only download apps from legitimate stores and do not fall for the hacker’s phishing schemes should be safe.
The technique reportedly works on all major mobile operating systems including iOS and Android. Business Insider has reached out to the companies involved for comment on FireEye’s findings and advice how users can protect themselves.
Mullis said FireEye has already discovered malicious versions of several popular legitimate apps targeting smartphone users in the wild.
“Imagine a malicious version of a taxi application that always calls a driver who is working with the bad guys; an Instant Messenger app that automatically uploads private messages, photos and GPS locations to a remote server,” he said.
“We have found examples of many well-known apps have been repackaged in this way: Twitter, Facebook, WhatsApp, Viber, Skype and others. They are versions of the standard app with extra functionality to exfiltrate sensitive information to remote servers. We have found these applications in use in the wild.”
The attacks are currently have a “small” undisclosed number of victims. Mullis said he expects to see the attacks expand their target-base in the near future.
“There is a clear ecosystem at play and I have no doubt that this technique could and will be used by criminal gangs for financial gain,” he said.