Hacking Team cybergroup specialized in compromising Apple iDevice without jailbreak

    FireEye company reported that the Hacking Team cybergroup used Masque vulnerability in iOS to compromise iDevice without jailbreak. To this end, fake applications have been created that simulate all kinds of legitimate analogues for social services, including, WhatsApp, Twitter, Facebook, Facebook Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype, Telegram, VK. Applications contained identical to the original identifier Bundle ID, allowing them to access all the data already established a legitimate application.



    The original Masque vulnerability (CVE-2014-4493) was closed by Apple with the release of iOS 8.1.3 at the beginning of this year. With the release of iOS 8.4 were closedsome other vulnerabilities similar to Masque that allowed applications with an existing Bundle ID to access the data of the installed application.

    Fake counterparts of the above legitimate applications specialized in stealing various confidential user information.

    • Records of voice conversations in Skype, Webchat, etc.
    • Text messages of various instant messengers, including, Skype, WhatsApp, Facebook messenger.
    • Web History for Google Chrome Web Browser.
    • Phone calls.
    • SMS and iMessage text message content.
    • GPS coordinates.
    • Contact Information.
    • A photo.

    To create a fake application, a legitimate one was used, in which special malicious content was embedded - a dynamic library (dylib) called _PkgSign . In order to force iOS to execute the code for this library, the LC_LOAD_DYLIB command was embedded in the application executable (Mach-O) .

    A malicious dynamic library specializes in intercepting a large number of diverse functions, thereby obtaining confidential user data. Thus, the application that operates on the user’s data is no longer legitimate, although this is invisible to the user, since it looks no different from the normal one.


    Fig. One of the hooks installed by the malicious library (FireEye data).

    Installing a fake application using a Masque vulnerability in the system is one of the few, if not the only, way to compromise iOS without jailbreak. Apple has previously taken the necessary steps to close its vulnerabilities (CVE-2014-4493, CVE-2015-3722, CVE-2015-3725).

    Also popular now: