Scammers Have 2 Clever New Ways to Install Malicious Apps on iOS Devices
upstart writes:
Scammers have 2 clever new ways to install malicious apps on iOS devices:
Apple has long required that apps pass a security review and be admitted to the App Store before they can be installed on iPhones and iPads. The vetting prevents malicious apps from making their way onto the devices, where they can then steal cryptocurrency and passwords or carry out other nefarious activities.
[...] Enter TestFlight, a platform Apple makes available for the beta testing of new apps. By installing Apple's TestFlight app from the App Store, any iOS user can download and install apps that have not yet passed the vetting process. Once TestFlight is installed, the user can download the unvetted apps using links attackers publish on scam sites or in emails. People can use TestFlight to invite up to 10,000 testers using their email address or by sharing a public link.
"Some of the victims who contacted us reported that they had been instructed to install what appeared to be BTCBOX, an app for a Japanese cryptocurrency exchange," Jagadeesh Chandraiah, a malware analyst at security firm Sophos wrote. "We also found fake sites that posed as the cryptocurrency mining firm BitFury peddling fake apps through TestFlight. We continue to look for other CryptoRom apps using the same approach."
Wednesday's post showed several of the images used in the CryptoRom campaign. iOS users who took the bait received a link that, when clicked, caused the TestFlight app to download and install the fake cryptocurrency app.
Chandraiah said that the TestFlight vector provides attackers with advantages not available with better-known App Store bypass techniques that also abuse legitimate Apple features. One such feature is Apple's Super Signature platform, which allows people to use their Apple developer account to deliver apps on a limited ad hoc basis. The other feature is the company's Developer Enterprise Program. It lets big organizations deploy proprietary apps for internal use without employees having to use the App Store. Both methods require scammers to pay money and clear other hurdles.
Read more of this story at SoylentNews.