FireEye has revealed a security flaw in Apple iOS devices that could allow malicious applications to remain open for an unlimited time while remaining hidden from unsuspecting users.
The flaw, which has been patched by Apple in iOS 8.4.1, allows any iOS application to bypass Apple background restrictions which usually terminate an application after three minutes and prevent applications eavesdropping on users.
Devices running a version previous to iOS 8.4.1 remain open to the vulnerability.
However, security researchers at FireEye said that the flaw, coined Ins0mnia, circumvents the usual limitations imposed by Apple and can affect non-jailbroken devices.
“A malicious application could leverage the Ins0mnia vulnerability to run in the background and steal sensitive user information for an unlimited time without the user’s consent or knowledge,” reported FireEye researchers Alessandro Reina, Mattia Pagnozzi and Stefano Bianchi Mazzone in a blog post.
“This sensitive information could then continuously be sent out to a remote server. This flaw could also be leveraged to drastically reduce device performance and system usability. It could even be used to drain the battery.”
Using the Ins0mnia flaw would involve fooling the device into believing that an application was being debugged. This then prevents the OS suspending the application after the usual expiration time.
If the attack is successful, the application will continue to run in the background even after the app was removed with the task switcher.
Josh Goldfarb, vice president and chief technical officer of the Americas at FireEye, told V3 that the vulnerability can allow rogue applications to remain undetected.
“An attacker could send an SMS with a malicious link that entices the mobile user to download a rogue application,” he explained.
“Once installed, the rogue application could use this vulnerability to hide from the user and could then proceed to collect information from the phone, monitor activity, calls or location, and a wide variety of other malicious actions.”
Goldfarb also told V3 that the flaw is evidence that companies need to pay more attention to the security of mobile devices.
“Mobile endpoint devices have access to a tremendous amount of a company’s sensitive, proprietary and confidential information, and they need to be protected,” he said.
“We have a chance to get ahead of the mobile security problem. Traditionally, security budgets shift only when there’s a major breach or attack.
“In the past, many enterprises waited until a big, high-profile security event to make changes in strategy. With mobile, we have seen a steady stream of issues that clearly make a trend: mobile is a major attack vector. Attackers follow the masses and the masses love their devices.”
Apple fixed a number of Mac OS X security vulnerabilities earlier this month after the discovery of a zero-day flaw that could allow hackers to inject malware into the operating system without the need for a password.