Thousands of legitimate iOS apps discovered containing ad library backdoors

More than 2,000 iOS apps stocked in Apple’s legitimate App Store reportedly contained backdoored versions of an ad library, which could have allowed for surveillance without users’ knowledge.
More than 2,000 iOS apps stocked in Apple’s legitimate App Store reportedly contained backdoored versions of an ad library, which could have allowed for surveillance without users’ knowledge.

More than 2,000 iOS apps stocked in Apple's legitimate App Store reportedly contained backdoored versions of an ad library, which could have allowed for surveillance without users' knowledge.

iBackDoor, as FireEye researchers call their findings, could have allowed impacted apps to remotely capture audio and screenshots; monitor and upload device locations; post encrypted data to remote servers; and read, delete, and modify files in the app's data container, among other actions.

Approximately 2,846 iOS apps were impacted, and of those, more than 900 attempted to contact an ad server capable of delivering JavaScript code to control the backdoors, FireEye wrote. However, no apps were observed as carrying out malicious commands, although it could have happened at any time.

Although the cybersecurity firm notified Apple of its findings, Raymond Wei, senior director of engineering, mobile security at FireEye, said when he last checked, at least 400 apps were still being listed in Apple's store.

Calling Apple's app approval process a “blackbox,” Wei said backdoors similar to iBackDoor could slip through because the actions it's capable of carrying out aren't exactly malicious.

“Recording audio, GPS locations, reading photos, and uploading data can be done if properly handled,” he said in an interview with SCMagazine.com. “If users give permission, [these actions are] legitimate.”

It isn't clear how Apple could distinguish between the illegitimate and legitimate uses for the actions, he said. “They don't have a clear way to review it,” he continued.

As far as the ad network responsible for the malicious library, Wei said he didn't like to point fingers because it remains unclear whether the library was altered during distribution or designed that way, though he did note that the most recent update to the ad library removed the malicious code.

“We don't know why they did that,” he said. “Maybe pressure or Apple's pressure, really we have no idea.”

With that in mind, he also noted that just because an ad library is updated doesn't mean the apps are, too. It can take time for developers to update their apps, and “if it's working, they don't want to fix it,” Wei said.

Ultimately, there's no way for regular users to protect themselves from threats like this; they're at the mercy of the App Store, or Apple's vigilance in tracking down suspicious apps.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS