Posted in: Blog, Posted On: Feb 27, 2014, Posted By: cyberinfoadmin
New Apple vulnerability allows Malicious keylogger App to Record User Inputs
Yet another Apple vulnerability has been exposed by security researchers, that can be exploited to track your finger’s every action on iOS Devices i.e. iPhone, iPad etc.
The exploit reportedly targets a flaw in iOS multitasking capabilities to capture user inputs, according to Security researchers at FireEye.
They found a way to bypass the Apple’s app review process effectively and created a proof-of-conceptMonitoring app for non-jailbroken iOS 7.0.x devices.
” app, that runs in the background of the iPhone is a Keylogger Trojan which could allow hackers to monitor user’s activities on the mobile device, including – touches on the screen, home button press, volume button press and TouchID press
, and send all collected events to any remote server.
According to researchers, their proof-of-concept app works on versions 7.0.4, 7.0.5, 7.0.6, and 6.1.x.
“Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.” FireEye researchers said.
In iOS devices, the application running in the background keeps on refreshing itself; but the researchers also noted that disabling iOS 7’s “Background App Refresh” setting would not restrict a malicious app from keylogging.
“For example, an app can play music in the background without turning on its “background app refresh” switch. Thus a malicious app can disguise itself as a music app to conduct background monitoring.” FireEye explained, So the only present solution to the problem is to manually remove apps from the task switcher.
Earlier this week, Apple has issued an urgent update iOS 7.0.6 in response to a SSL vulnerability
that might allow hackers to bypass SSL/TLS verifications
on shared and public networks and steal users information from affected devices, including log-in usernames and passwords, as well as other sensitive information.
The Security firm is actively working with Apple on the issue, but until the release of next iOS update, the only thing iOS users can do – Check and monitor the unnecessary applications running on the device via Task Manager
and KILL THEM.Last month, Trustwave’s Neal Hindocha
also demonstrated that even Smartphone screen swipe gestures can be analyzed by hackers
and as a proof-of-concept he developed a prototype ‘Screenlogging
‘ malware for the iOS and Android Smartphones that works the same as a keylogger software for desktop.