Click to Skip Ad
Closing in...

iOS 9 will fix a massive iOS vulnerability that silently lets malware apps inside the iPhone

Published Sep 16th, 2015 7:45AM EDT
iOS 9 Security Fix AirDrop Malware
Image: Jonathan Geller, BGR

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Apple will release the final version of iOS 9 later today, and the software update will bring several new features and performance improvements. On top of that, the new release will fix a massive iOS vulnerability that would allow a third-party to gain control of a user’s iPhone. The bug also affects Macs, and will be squashed in the upcoming El Capitan release (set to launch on September 30th).

DON’T MISS: iPhone 6s and iPad Pro must be very scary: Samsung is back with more anti-Apple propaganda

According to Azimuth Security’s researcher Mark Dowd, anyone within range of an AirDrop user would be able to install malware on a target device and then use the program for various malicious purposes. AirDrop is a feature that lets users quickly transfer files between iOS and Mac devices.

All the while, the user would not suspect anything, even if he or she rejects an incoming AirDrop transfer from an unknown contact.

To initiate the attack, all a hacker has to do is to send a file via AirPlay to an iOS or OS X user running iOS 7 or later, and Yosemite, respectively. It doesn’t even matter if the recipient accepts the incoming transfer, as the malware attack is initiated.

The hacker would then have to wait patiently for the user to reset the iPhone or Mac for any reason so that the malware app can be installed. How can a non-App Store app be installed that easily you ask? Well, the hacker would use an Apple certificate to sign it, fooling the OS into believing it’s a genuine piece of software – the kind that enterprises would release to their fleet of Apple devices.

“The [malware] app is restricted by its sandbox,” Dowd told Forbes. “However since you sign the app, you can grant some entitlements that allow it to do things like read contacts, get location information, use the camera or whatever other entitlements legitimate apps can be allowed to have.”

The video below shows the attack in action, with Down replacing the Phone app on the iPhone with an app of his choosing.

iOS 9 and OS X 10.11 fixes the problem, so get them as soon as possible. Also, you can just turn off AirDrop when you’re not using it, to avoid such potential issues in the near future, especially if you don’t plan to, or can’t, update to the latest iPhone and Mac software versions.

Chris Smith Senior Writer

Chris Smith has been covering consumer electronics ever since the iPhone revolutionized the industry in 2008. When he’s not writing about the most recent tech news for BGR, he brings his entertainment expertise to Marvel’s Cinematic Universe and other blockbuster franchises.

Outside of work, you’ll catch him streaming almost every new movie and TV show release as soon as it's available.