- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
cross-posted from: https://lemmyf.uk/post/5813538
First ever iOS trojan discovered — and it’s stealing Face ID data to break into bank accounts
TLDR: Trojan can only be installed with an MDM setup, you should never enroll in random MDM profiles anyways. They started by using it in a TestFlight app, but Apple has since kicked them off.
the hackers used social engineering to persuade their victims into installing a Mobile Device Management (MDM) profile. For those unfamiliar, MDM is a methodology and set of tools used by a business’ IT department to manage company phones, computers and other devices. If a victim did fall for this new tactic, the end result was that the hackers now had complete control over their iPhone.
So when your IT person calls you up and asks you to install apps. Just say no.
Unless it’s not your device and was given to you by your company.
While Android banking trojans are typically distributed through malicious apps and phishing attacks, getting a trojan onto an iPhone is a bit more difficult due to how Apple’s ecosystem is much more closed off than Google’s. Still, like they often do, hackers have found a way.
During the beginning of this malware campaign, the hackers behind it leveraged Apple’s mobile application testing platform TestFlight to distribute the GoldPixaxe.IOS trojan. It’s extremely difficult to get a malicious app onto Apple’s App Store but by abusing the iPhone maker’s TestFlight program, it is possible. This worked at the start of the campaign but once this malicious app was removed from TestFlight, the hackers behind this campaign had to come up with a more sophisticated means of distributing their iOS trojan.
With TestFlight access revoked, the hackers used social engineering to persuade their victims into installing a Mobile Device Management (MDM) profile. For those unfamiliar, MDM is a methodology and set of tools used by a business’ IT department to manage company phones, computers and other devices. If a victim did fall for this new tactic, the end result was that the hackers now had complete control over their iPhone.
Vietnam and Thailand only. Everyone else, don’t agree to sideload something prompted by a guy on the phone.
Ok, so not great, but not terrible.
Firstly you had to fall for social engineering to get the dodgy app via TestFlight. Later on, you had to fall for social engineering to get the dodgy app via you installing an MDM profile on your own device. In the future, you’ll doubtless be able to get socially engineered to sideload it.
Currently, in the UK (I don’t know what this is like in other countries), we get regular prompts from our banks not to share one-time codes with anyone, not even bank employees. And not to transfer money to ‘safe’ accounts, even if someone claiming to be the bank or the police tell you to. They’ll just need to update those to also say “We at Bank will never ask you to install test or special versions of our app, or update them anywhere other than the official Apple/Google app store”.
This is a social engineering problem, not really an iOS (or Android) technical one.
EDIT: The article is suspiciously vague one one point:
Once installed on either an iPhone or an Android phone, GoldPickaxe can collect facial recognition data, identity documents and intercepted text messages, all to make it easier to siphon off funds from banking and other financial apps. To make matters worse, this biometric data is then used to create AI deepfakes to impersonate victims and access their bank accounts.
What ‘facial recognition data’ is it gathering, and how? As I understand it, FaceID is processed in a secure enclave, and regular apps don’t have access to that - they send a ‘verify this person’ request, the phone itself triggers a FaceID scan, does the verification itself and sends back a ‘yes, all good’ reply to the app - the app itself does not get FaceID or biometric data. So unless it’s just doing something like using the camera to take some photos or videos of the user, I’d like to know what the article is talking about there…
Lazy journalism. The two variants showcases exactly how iOS is more secure and how much harder it is to get on the device as well as attempt to extract info.
Few quick points to answer questions outlined here:
- Android and iOS Variants behaves differently. Due to security measures (as outlined in this post itself) iOS variant cannot actually extract facial recognition data. Instead, it takes photos of user with prompts about shifting their face and blinking etc. The setup here is because Thailand’s central bank requires banks to perform facial recognition to withdraw larger sums of money. By stealing your face in multiple photos, they could build a deep fake of your face to be used in another device later.
- Due to the way security works on iOS, the iOS variant cannot exfiltrate SMS messages directly. There is simply no permission to do such. Instead, it tricks users into installing a SMS filtering extension “to prevent fraudulent SMS” — this allows attacker to read incoming SMS, but only from unknown numbers. The hopes here is that they could intercept your MFA received via SMS at a later date.
If anyone wants to do the full reading, it is available from Group-ib directly.
And yes, this further cements my thoughts about EU making a terrible move forcing Apple to enable side loading as it adds additional vectors for bad actors to get into a currently much more secure and harder to invade device.
If (when) this allows iOS Trojans through side loading you better believe that Apple will throw it all back at the EUs doorstep. I’m gonna howl how idiots thought it would make things “better”.
Of course many of those people that “want side loading” don’t give two craps about users. They just wanna see Apple knocked down a peg because of their sad little lives.
Wanna make things better in a way that gets my approval, kill all subscription models and just pay for genuine software updates that need to be justified through the new features they add.
Lifehackers finds a wayYes put you face and fingerprints and biometric data into our completely hackerproof devices, its very secure and not likely to have bad consequences at all!
- every phone manufacturer and banker in existence.
Iphone users crying in the comments intead of just growing a brain
This is a small taste of what sideloading will bring to all of your parents who own iOS devices!
I honestly can’t wait for the gong show to begin.
Just like the cookie law and GDPR before it, the intention might be good, but the implementation is so botched that it’s just going to be a huge mess.
Hope a couple of emulators and porn apps will be worth it for those that advocated for this crap.
Most of the advocates for it use Android instead anyway and aren’t likely to be impacted at all.
Android users are not forcing you or pushing for how Apple users use their phones. I don’t get where this adversarial stuff comes from. We already have this feature.
sideloading or not, you can just socially engineer vulnerable folks into installing trojans you your phone. as proven by this post.
there will always be a way regardless if you are stuck inside a competition-free walled garden or not.
MFA or not, you can always social engineer people into getting access into their bank account. There’s even SS7 attack for SMS based MFA. So, let’s just abolish passwords and MFA all together and everyone hold hands to sing Kumbaya and be hippies together… right? No, of course not. You do not weaken an established system because there’s ways for bad actors to act maliciously. Vast majority of Apple users doesn’t care for side loading and would benefit from the security that comes with the walled garden, very few Apple users (and the Lemmy user base does not a represent a statistically significantly broad representation of the user base) knows enough to care for otherwise, but are now getting dragged along for the ride.
Thats like blaming a knife for the users inability to understand you have to grip it by the handle.
That vast majority can continue using their phones as if nothing ever happened. Nobody is forcing them and more choice is good.
Even if they are not using the feature they will benefit from competition in the space. That’s the only sane way within capitalism. This far outweights the very small perceived risk a very small minority of users may or may not be subjected to the very same social engineering attack thats already being exposed by the article.
Its not us Lemmy or Android users pushing for this and dragging you along, we already have that feature, its fine. Its regulators wanting to mitigate the effects of a monopoly and this is benefical for the industry as a whole.
Again, you even said it yourself, most users can (and will) always keep the feature off anyway. Nobody is forced to use it and Apple will sure make it difficult anyway.
There are plenty of apps people are forced to install; apps used for international airport entries, apps that’s used by everyone professionally, or worse yet, that one state-owned chat app grandma uses back home because everyone else uses it around her. All it take is one of them deciding they don’t want to be part of the strict review process and that their ability to further spy on their users are worth the core technology fee, and now people would be forced to use third party app stores with questionable review process. The “scare screen” before they add the third party App Store? That’s just going to be another thing users blindly click through due to notification fatigue.
At least for the time being, the current proposal put forth, Apple should still theoretically be able to revoke apps from third party app stores, and they still retain entitlement (sandbox/low level hardware access) signing rights. Once those checks and balances are taken away… then all hell breaks loose and those not super tech savvy (read: 99%+) will be hurt the most. At least I am comfortable enough to look out for myself 🤷
android can sideload apps since its inception and this was never an issue. i doubt it will be with ios.
Because Google already lets apps do anything they want no matter how malicious. There’s no reason to leave the Play Store.
Apple has people sneak past their rules on occasion because screening is hard, but they have and enforce rules that protect your privacy that malware companies like Facebook don’t want to follow.
It absolutely has happened on Android. The Russian government has launched their own app store, as an example of a state-owned-and-operated third party app store.
Additionally, once both iOS and Android are opened up, the capability to control the end-to-end distribution on both platforms simultaneously becomes a much larger incentive for major corporations; gone are the days where some users receives some features earlier because the other app store have not pushed the update yet – they control it end-to-end.
I mean, I should be abundantly clear: simply operating a third party store does not equate to malicious intent. Some would argue the corporation case above could be considered beneficial for users. However, having third party stores with varying degree of security capabilities increases attack vectors for bad actors, and thereby making it more difficult for everyday users to manage – an additional layer of complexity iOS users have not had to deal with for many years and very very few has signed up for.
Eh, it’s already possible without sideloading
It’s almost impossible without sideloading, requiring heavy social engineering and it is lockable by Apple. Whereas it has the possibility to become common-place with sideloading as it’s requested in the lawsuits from Epic and by most of the anti-Apple folks on reddit/lemmy.
My parents android devices (with optional sideloading) are fine.
I have a feeling iOS users will be about the same despite Apple’s attempts to fearmonger it.
Exactly. It would be complicated to pull off something like this via side loading given that Apple’s proposal requires apps to be hosted on an alternative store rather than just being a single app that you could download (like APKs on Android). The paragraph below from their Newsroom post about the changes being made also suggests there will still be some form of app review happening for apps even if they aren’t being hosted on the App Store.
Notarization for iOS apps — a baseline review that applies to all apps, regardless of their distribution channel, focused on platform integrity and protecting users. Notarization involves a combination of automated checks and human review.
It would be easier for a scammer to use an MDM profile like they did with this scam rather than trying to trick people into side loading.
TestFlight isn’t the same as sideloading. And preventing sideloading has no effect on your IT illiterate relative handing over MDM control to a malicious actor.
Would you blame sideloading if your relative gave a random “fraud specialist” at their bank their online banking password and they had their bank account drained? That’s the essentially same kind of attack that happened here
You missed my point entirely. Once sideloading is available Trojan authors no longer need you to install an MDM to infect your parents devices.
They will still have to social engineer the target to get it enabled and installed.
I get your point, but where I don’t agree is that sideloading is more insecure than already exploited systems. What safety does disabling sideloading provide when the same user vulnerable users are able to be socially engineered to bypass several restrictions and install the test flight app or a management profile to give hackers control?
It’s not as if sideloading is going to be allow users to click a malicious ad that pops in at the last second where the real download button should be. It is going to behind the same multiple step processes that the current test flight or MDM vectors are
What safety does several layers of effective safety that removed this threat quickly and obviously prevented it from becoming a widespread issue provide?
And that is not what people are pushing for for sideloading. People want to be able to have alternative app stores with their own sets of rules that will not require test flight or MDM vectors.
deleted by creator
The app was available (via testflight) to download even without sideloading…
And got kicked off by Apple, as per the article… A thing that can’t be done in the future that a lot of people who use Android want to force onto Apple users.
I think the current proposed implementation would still allow Apple to revoke apps from third party stores, and they’d still control entitlements internally. Having said that, there’s plenty of pushbacks already, and I haven’t caught up as to whether or not EU approved their proposal yet. In all cases, as I said earlier, just like the cookie law and GDPR, the DMA maybe came from a good place with some good ideas, but the implementation is so broken, what companies will do to comply with the word of the law will be a gong show.
deleted by creator
This is not Android users forcing anything upon you. Its about antitrust. No one will force you to enable sideloading.
Hell, Apple will probably heavily discourage anyone from trying it.