Patched Ins0mnia Vulnerability Keeps Malicious iOS Apps Hidden

A patched iOS vulnerability can be exploited to allow malicious apps to bypass background restrictions and exploit Apple devices.

Apple’s monster security update of Aug. 13 included a patch for an iOS vulnerability that could beacon out location data and other personal information from a device, even if a particular task has been shut off by the user.

A mobile app exploiting this vulnerability could also look benign enough to slip past Apple’s security protections guarding the App Store from approving misbehaving apps.

Researchers at FireEye today published a report on the vulnerability they’re calling Ins0mnia. The flaw bypasses restrictions imposed by Apple in iOS that limit how long an application is allowed to run in the background before it’s automatically suspended. The restriction prevents eavesdropping, FireEye said in its report. Users can take advantage of the iOS task switcher to shut off background apps if they so choose.

Ins0mnia’s ability to bypass these limitations not only put user privacy at risk, but also could affect device performance.

“A malicious application could leverage the Ins0mnia vulnerability to run in the background and steal sensitive user information for an unlimited time without the user’s consent or knowledge,” wrote FireEye researchers Alessandro Reina, Mattia Pagnozzi  and Stefano Bianchi Mazzone. “This sensitive information could then continuously be sent out to a remote server.”

The researchers said the key was tricking the Apple device into thinking the app was being debugged, preventing the background restrictions from kicking in. From the FireEye report:

“To fool iOS, a malicious application could leverage ptrace, and utilize the ptrace code that handled the PT_TRACE_ME request to set the flag P_LTRACED and gracefully return 0. By setting the P_LTRACED flag, the application prevented the assertiond process from suspending the malicious application. Note that PT_TRACE_ME was a request made by the traced process to declare that it expected to be traced by its parent.”

More disturbing, FireEye said, is the fact that a malicious app targeting this vulnerability can run on non-jailbroken iPhones and iPads.

“Unlike other known iOS malware that runs only on jailbroken devices, or must be distributed with Apple Enterprise Certificates, a hypothetical Ins0mnia malware didn’t require anything not allowed by Apple,” the researchers wrote. “We believe that such an application had a high probability of passing the Apple Store review, making it a rare loophole for an attacker to distribute malware within Apple’s walled garden.”

The Aug. 13 update from Apple also patched a number of other iOS bugs that include a long list of WebKit code-execution, information (cookie) leakage, and Content Security Policy vulnerabilities, in addition to updating Mac OS X to Yosemite 10.10.5 and patching the critical DYLD privilege escalation vulnerability.

Suggested articles