“Su-A-Cyder is not malware and it is not a vulnerability it’s a threat vector! It is a compilation of open source technologies (e.g. “Su-A-Cyder can be described as a recipe that takes one part malicious code (choose your flavor), one part legitimate app (choose your victim), one part Apple ID (anonymous), and mix together to create a new evil client app that easily installs on a non-jailbroken device. Tamir described the Su-A-Cyder as a new threat vector that can create a malicious version of legitimate apps just by connecting the victim’s device to a computer. The researcher Tamir released a proof-of-concept (PoC) tool called “ Su-A-Cyder” that can be exploited by attackers to replace a legitimate app installed on an iOS device with a malicious version that the tool creates. For example, these apps can access users’ data, access the address book, access the calendar and track users through their GPS positions. Unfortunately, it is important to highlight that the operations allowed to mobile apps developed with the above process are the same conducted by mobile malware. This kind of apps has limited abilities compared to apps that pass the Apple’s application review, for example they are not allowed to access Apple Pay, application domains, iCloud, in-app purchase features, the passbook/wallet, and they cannot use push notifications. This process allows developers to create applications that do not need to be uploaded to the App Store and don’t need to pass the Apple’s application review. Tamir presented his attack methods at the recent Black Hat Asia conference, he explained how to exploit a developer feature, the Xcode 7, recently introduced by Apple to install malware on devices.Īmong the novelties introduced with the Xcode 7, there is the possibility for developers to create iOS apps using certificates that can be issued by providing an Apple ID, this means that coders just need to provide their name and an email address. The security expert Chilik Tamir from Mi3 Security has devised some new attack methods that can be exploited by threat actors to install malicious apps on non-jailbroken iOS devices. The security expert Chilik Tamir from Mi3 Security has devised a new attack dubbed SandJacking to install rogue apps on iOS devices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |