Versions of a popular Chinese mobile ad library have been backdoored with capabilities that can be used to surreptitiously record audio and steal data stored on thousands of iOS devices.
Researchers at FireEye said today they have found 17 backdoored versions of the mobiSage SDK (versions 5.3.3 to 6.4.4); the offending behaviors are not present in the most up to date version, 7.0.5.
Senior director of security engineering Raymond Wei told Threatpost that it’s unknown whether parent company adSage dropped the malicious capabilities into the SDK, or whether it was a third party such as a criminal or state-sponsored operation.
“It’s hard to know; we don’t have that level of intelligence,” Wei said. “There are some reasons why an ad network would want to collect information beyond the normal use. Ad libraries can become very aggressive to gain an advantage over their competitors if they can collect more information. But recording audio in the background goes beyond the ad library’s functionality.”
Wei suspects the infected ad library moved through a distribution channel in China where developers were downloading it and using it in the development of new apps without suspecting it was backdoored.
“It is difficult to say whether developers got the infected library directly from the company or are they infected in transit, just like with XcodeGhost,” Wei said. “We cannot determine that at this point.”
The capabilities exist to record audio and screenshots from an iOS device. An attacker could also monitor and upload device and location data, modify files in the app’s data contain, read or reset the app’s keychain, post encrypted data to third-party servers, launch other apps on the device, or side-load third party apps.
FireEye said it notified Apple on Oct. 21, providing it with a complete list of affected apps, and technical details. Wei said the researchers have no confirmation of actions taken by Apple against the apps, which found their way into the App Store.
“All those activities and actions are legitimate under certain circumstances. For example, there are legitimate apps that can record audio. The only difference is that the audio apps are supposed to prompt the user with a clear notification so that the user can say ‘Yes,'” Wei said. “It is probably not so straightforward for the App Store review to identify that these apps can perform these actions secretly in the background.”
In these interfaces, FireEye discovered the capabilities in the library such as the ability to capture audio and screenshots and other spying features such as stealing passwords.
“This is a very surprising discovery that an ad library can be distributed so widely and can get a [malicious] app published in the App Store,” Wei said.