Malicious actors leveraging an open source mobile device management (MDM) system have been abusing a legitimate iOS feature to hide legitimate applications and trick victims into using malicious counterparts.
The attacks, first exposed by Talos’ security researchers in July, involved the use of malicious versions of five programs (AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp) that were then deployed onto iOS devices to steal messages.
Given how the enrollment process for the MDM works, the security researchers assumed right from the start that the rogue applications were being installed either via direct access to the compromised devices or through sophisticated social engineering. Each step of the enrollment process required user interaction, Talos discovered.
The security researchers now reveal that the attackers abused the MDM solution to control the victims’ devices and deploy a new profile onto them. Next, the actors leveraged the age rating restriction functionality in iOS to hide the legitimate apps.
The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively, and the actors set the age rating limit to 9-plus. Thus, the legitimate apps would no longer be shown on the device and the victim was only able to access the rogue variants instead.
“The app still exists on the device, however, the user will not be able to interact with it, even if the user searches for the app using the search function on the iOS device. It simply does not open. All mobile device users should be aware of these attack methods as to prevent attackers from gaining control of their phones through an MDM,” Talos explains.
iOS supports the configuring of devices using profiles, and the MDM enrollment mechanism too is performed using a profile. Such profiles are easy to create and Apple even offers an official tool for that. These apps allow for the restriction of app usage, but the app restriction is usually limited to the supervised device.
The iPhones impacted by these attacks, however, were not in supervised mode. Instead, the attackers abused the age rating to forbid the usage of apps rated for ages 9 and above. Thus, the apps remained on the device but could no longer be accessed.
“Once this profile is installed on the iOS device, the applications restricted by the age rating stay installed, but can no longer be used or accessed, and the icon disappears from the device springboard,” Talos explains.
The profile can be installed manually via Apple Configurator, or by opening the profile XML from Safari. Once that happens, a new entry appears in the Settings > General > Profile menu. However, if the MDM deploys the profile, it does not appear there (the MDM enrollment profile will be present).
“It’s important to note here that there is no malicious malware, vulnerability or zero-day used to enroll the phone within the MDM. It is a legitimate method of device administration that is used within enterprises throughout the world. The attacker has merely leveraged this process,” the researchers note.
Users can head to Settings > General > Profiles & Device Management > [MDM configuration] on their iOS devices to view information about the restrictions and applications set/installed by MDM profiles. If no Profiles & Device Management menu is available, the device is not enrolled.