FireEye mobile researchers recently discovered potentially “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store. The affected versions of this library embedded functionality in iOS apps that used the library to display ads, allowing for potential malicious access to sensitive user data and device functionality.
- Capture audio and screenshots
- Monitor and upload device location
- Read/delete/create/modify files in the app’s data container
- Read/write/reset the app’s keychain (e.g., app password storage)
- Post encrypted data to remote servers
- Open URL schemes to identify and launch other apps installed on the device
- “Side-load” non-App Store apps by prompting the user to click an “Install” button
The offending ad library contained identifying data suggesting that it is a version of the mobiSage SDK . We found 17 distinct versions of the potentially backdoored ad library: version codes 5.3.3 to 6.4.4. However, in the latest mobiSage SDK publicly released by adSage  – version 7.0.5 – the potential backdoors are not present. It is unclear whether the potentially backdoored versions of the ad library were released by adSage or if they were created and/or compromised by a malicious third party.
Edited by NickAu, 05 November 2015 - 03:50 AM.