Ars Technica reports security firm FireEye says its researchers have discovered a new bug in iOS that allows malicious apps to monitor and log a user’s touch and button input while running in the background.
The exploit reportedly targets a flaw in iOS’ multitasking capabilities to capture user inputs, and allows for them to be sent to a remote server.
The researchers created a proof-of-concept monitoring app, and developed approaches to “bypass” the Apple App Store review process. Once the app is installed, it was able to monitor and capture user actions that included keyboard inputs, use of the volume, home, and power buttons, screen touches with exact coordinates, and Touch ID events.
Disabling BackGround App Refresh for the app did not disable the malicious apps monitoring capabilities. Removing the app manually via the device’s task switcher is the only present solution.
FireEye noted the flaw has been identified in current versions of iOS:
Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.
The group noted that they are cooperating with Apple to fix the issue. Apple has not yet commented on the issue.
News of the vulnerability comes less than a week after Apple issued iOS 7.0.6 in response to a SSL vulnerability that allowed bad actors to capture or modify data from Safari in supposedly secure browser sessions. That bug was also found to be present in OS X, and Apple has confirmed that it will issue an OS X software patch “very soon” to fix the bug.