Thousands of iOS Apps in App Store Contain Backdoor in Advertising Platform

Thousands of iOS apps have built in some version of an advertising platform that allows malicious parties to steal data from iOS users. So far, no app seems to have made use of the backdoor.

As far as we know, 2846 apps have the backdoor on board by using an older version of AdSage’s mobiSage advertising platform. Apps using the latest version of mobiSage, 7.0.5, do not have the backdoor. Of the 2,846 apps, about 900 contacted an AdSage server, giving them the opportunity to load malicious code.

The backdoor allows attackers to record audio, take screenshots and, if the user has allowed it, sideload malicious apps onto iOS devices. Due to iOS sandboxing, this is only possible if the app is active. However, there is no indication that the backdoor was actually used. Security firm FireEye discovered the backdoor and notified Apple two weeks ago.

The backdoor lies in the fact that the old version of mobiSage allowed apps from AdSage’s server to download and run arbitrary JavaScript code. That is also the reason that Apple has allowed the apps in the App Store. Although the backdoor was present, the apps did not contain any malicious code at the time of release. Because there are still apps that use the old mobiSage version, it is still possible that malicious parties use the backdoor, the security company estimates.

On Tuesday it became clear that developers have sold info about an exploit that makes it possible to penetrate an iOS device via the browser. Because it concerns a series of zero days, it is possible to escape the sandbox and take over the device completely.