Check Point researchers have identified SideStepper, a vulnerability that can be used to install malicious apps on iPhones and iPads to steal login credentials and sensitive data.
SideStepper allows an attacker to get around security enhancements in iOS 9 which are supposed to protect users from installing malicious enterprise apps. These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, thereby making it harder to install a malicious app accidentally.
However, enterprise apps installed using a Mobile Device Management (MDM) solution are exempt from these new security enhancements. An attacker can hijack, and imitate, trusted MDM commands on an iOS device, including over-the-air installation of apps signed with enterprise developer certificates. This exemption allows an attacker to side-step Apple’s solution that should prevent installation of malicious enterprise apps.
To expose an iPhone or iPad to this vulnerability, an attacker convinces a user to install a malicious configuration profile on a device by using a phishing attack. This simple, effective attack method uses familiar messaging platforms like SMS, instant messaging, or email to trick users into following a malicious link.
Once installed, this malicious profile allows an attacker to stage a Man-in-the-Middle (MitM) attack on communication between the device and the MDM solution. The attacker can then hijack the MDM commands that Apple’s iOS trusts, including the ability to install enterprise apps.
The vulnerability potentially impacts millions of iPhone or iPad devices running under an MDM solution. Without an advanced mobile threat detection and mitigation solution on the iOS device, there is little chance a user would suspect any malicious behavior had taken place.
Since iOS trust these apps, and because the installation process is familiar to the user, infection is seamless and immediate. This vulnerability puts the user, and sensitive information on the device including voice conversations at significant risk. Malicious apps can be designed to:
- Capture screenshots, including screenshots captured inside secure containers
- Record keystrokes, to steal login credentials of personal and business apps and sites
- Save and send sensitive information like documents and pictures to an attacker’s remote server
- Control sensors like the camera and microphone remotely, allowing an attacker to view and capture sounds and images.
Researchers recommend taking several steps to mitigate the risk:
- Ask your enterprise to deploy a mobile security solution that detects and stops advanced mobile threats
- Examine carefully any app installation request before accepting it to make sure it’s legitimate
- Use a personal mobile security solution that monitors your device for malicious behavior.