In an excellent and deep blog analysis, Ian Beer of Google’s Project Zero outlines five separate iOS exploit chains that were found on a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iOS 0-day. (For another watering hole attack example, please see our recent blog, “The Mobile Watering Hole: How A Sip Leads to A Trojan Compromise”).
By a victim simply visiting one of the malicious websites, attackers could silently hack a victim’s iOS device by exploiting a set of previously undisclosed software flaws. Per Zack Whittaker’s story in TechCrunch, researchers found five distinct exploit chains involving twelve separate security flaws, seven of which involve Safari, the built-in web browser on iOS devices.
The five separate attack chains allowed an attacker to deliver an implant and gain “root” access to the device — the highest level of access and privilege on an iOS device. In doing so, an attacker could gain access to the device’s full range of features normally off-limits to the user. That means an attacker could quietly install malicious apps to spy on the device owner without their knowledge or consent.
As MIT Technical Review reported, Apple patched the bugs quickly in February 2019 so everyone who has updated their iOS devices since then is protected. Rebooting the device wiped the malware but the data had already been taken. Exactly who was infected remains an open question. iOS users themselves likely wouldn’t know because the malware runs in the background with no visual indicator and no way for an iOS user to view the processes running on the device.
Zimperium Customers Are Protected
This is another example of a complicated and sophisticated mobile attack – similar to the methodology and attack mechanisms used on desktop platforms. Based on analysis of the Project Zero information by zLabs, Zimperium zIPS detects attempts by the attacker to gain persistence on the device or perform any system or app manipulation.
In addition, leveraging our on-device phishing detection engine, Zimperium zIPS would have been able to alert the user that they are accessing a potentially malicious / phishing website and prevent them from being infected by warning or blocking access to the site prior to any payload delivery.
Zimperium has witnessed previous mobile browser attacks not only using social engineering techniques to direct the user to a malicious site, but direct browser traffic manipulation – for example a device connecting to a rogue access point, or being attacked on wifi networks to redirect users to fake or replacement websites to deliver additional payloads. zIPS provides the broadest range of detection and forensics for such attacks, for both rogue access point and wifi manipulation attacks.
Zimperium hosted a webinar on September 5th to discuss the details of these exploits. To watch the on on-demand webinar, click here.