A rather scary piece of iPhone malware would let an attacker spy on a target using an approved App Store app without the person’s knowledge. In fact, the malware app could continue to gather data for the hackers — or for a spy agency — even after the infected app is closed by the user. Apple apparently fixed this huge vulnerability beginning with iOS 8.4.1, but earlier iOS builds are still affected.
If you stop using an app and minimize it to the background, the app stops working after about three minutes to save processor power and thus battery life. But the Ins0mnia bug, discovered by security researchers at FireEye, will keep the app operating even when Apple’s operating system suspends it.
Using this Ins0mnia bug, hackers would be able to fool iOS into thinking that the app is being debugged, which would skirt iOS’s protocols. The app would then keep transmitting data to a third party. Even worse, the app keeps working even if the user decides to quit all apps running on the iPhone from the app switcher UI.
The security team explained in a blog post that Apple’s measures are also meant to prevent eavesdropping features. “A music app may have legitimate reason to ask permission to access GPS location and microphone while working in the foreground, but few users would want the app to run in the background and continually monitor GPS locations and record audio,” the company wrote. “The control by iOS is supposed to prevent such abuse of permissions.”
As The Register points out, that example seems to apply to a what-if scenario related to Spotify. The popular music service updated its privacy settings last week with wording that appeared to suggest it wanted to gather user data without the user having the chance of opting out, and many users were upset by the new terms of service.
The researchers also say that an app taking advantage of this particular iOS flaw could have had “a high high probability of passing the Apple Store review, making it a rare loophole for an attacker to distribute malware within Apple’s walled garden.”
It’s not clear what apps, if any, actually took advantage of this security vulnerability.