Wednesday, May 18, 2016

New iOS vulnerability lets malware slip through


’s iOS is erally considered the most reliable and secure mobile platform out there so little wonder that i and iPads are thegadgets of choiceof mobile workers everywhere. Despite its Unix underpinnings, iOS of course isn’t bullet-proof – no software is. But unlike Google’smalware-infested Android, you don’t hr every day about an iOS wkness so fatal it opens the door to malware.Unfortunately, today is precisely that day as resrchers from the Georgia Tech Information Security Center (GTISC) publish details about a newly discovered iOS vulnerability that allows malware installation via seemingly innocuous apps.The wkness circumvents ’s security msures and paves the way to“significant security thrts to the iOS platform.”We’re expecting a swift response on ’s part and a fix via a future update…According to amedia relseGeorgia Tech put out last week, resrcher Billy Lau and his tm showed off the security at Black Hat.The iOS wkness, they explain, allows attackers to snk malware past ’s app review process and install it onto iOS devicessilently, without you being aware of any suspicious activity.Wang’s approach hides malicious that would otherwise get rejected during the review process. Once the malicious app passes review and is installed on a user’s device, it can be instructed to carry out malicious tasks.Theoretically, a third-party iOS app like Facebook could be the carrier of malware.The tm introduced a proof-of-concept attack called Jekyll that rrranges its own to crte new functionality that is not exhibited during ’s approval process.“This allows the malicious aspects of the app to remain undetected when reviewed and therefore obtain ’s approval,”the relse rds.They were ableto publish a malicious app and use it to remotely launch attacks on a controlled group of devices.Our resrch shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge. has apparently“indied that it is continuing to work on ways to address the wknesses revled through Jekyll,”Georgia Tech’s press relse claims.At any rate, this Jekyll method should be enough to give a pause,especially given the bragging in ’s2012 white paperwhich sings praises to iOS devices for providing“strint security technology and ftures”.The report also mentions another recently discovered iOS wkness that usesa proof-of-concept malicious charger and a single-board computer to stlthilyinstall a malicious app.The resrchers will publish their findings at the upcomingUSENIX Security 2013conference that runs onAugust 14–16, 2013in Washington, D.C.In the mntime, is hoping to take iOS security to the next level this Fall with a bunch of capabilities like Lock, a new iOS 7 fture that renders stolen devices useless by denying a carrier , even after the thief has wiped the device cln of data or disabled theFind My iervice.

No comments:

Post a Comment