A Dropbox representative said the risks are limited because of the inter-app security built into iOS.
“That being said, we’re working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon,” Dropbox told Threatpost.
Spagnulo demonstrated in a video on his site how the vulnerability is exploited. He used the app to open emails that sent tweets or SMS messages on his behalf, opened his Web browser, photo archive and more.
“A spammer can collect detailed information on the device that viewed the email and display invasive ads, while a malicious attacker, using a browser exploitation framework can perform phishing attacks, hijackings, potentially transforming the victim into a zombie host,” he said.
The Mailbox app is an alternative to the mail client native to iOS on Apple mobile devices. Recently acquired by Dropbox, the app is promoted as having features that help users navigate their inbox in a more efficient manner, as well as speeding up delivery of messages.
Meanwhile, researchers at AlienVault Lab have dug deeper into the Leverage.a Trojan targeting Mac OS X machines. The Trojan was being used in targeted attacks and arrives purporting to be an image file. When the user executes the file, either after receiving it via a phishing email or visiting a compromised website, the malware attempts to connect to a command and control server giving the botmaster remote control over the machine to install more malware or run code.
AlienVault researcher Eduardo De la Arada said the malware tries to connect to the domain servicesmsc[.]sytes[.]net, but that domain has since been taken down. The malware, he said, is written in Realbasic, which enables the attacker to build the code for other platforms such as Windows and Linux.
Article updated at 1:40 p.m. ET with comments from Dropbox