Cisco’s Talos Intelligence is warning enterprise admins and iPhone users of a complicated but crafty attack that involves manipulating the age restriction settings on iOS devices to hide legitimate apps, such as WhatsApp.
The researchers observed the trick in a recent targeted attack against a dozen iPhone users who’s devices had been enrolled onto a malicious mobile device management (MDM) platform, an enterprise tool for deploying apps on work devices. The malicious MDM installed fake versions of WhatsApp, Telegram, Imo, and Apple’s Safari browser.
Installing the fake apps was half the trick, and Cisco’s researchers don’t know how the devices were enrolled to the MDM in the first place, though physical access and social engineering are two likely explanations.
The second part involved hiding the real apps in order to force the victims into using the booby-trapped version. To do this, the attackers used the Restrictions option in Settings on iOS devices — a feature aimed at parents that allows them to restrict access to specific apps based on their child’s age. For example, in Restrictions under Apps, parents can specify not to allow access to certain apps to 17+, 12+, 9+, and 4+.
The age ratings for WhatsApp and Telegram and 12+ and 17+, respectively. Knowing this, the attackers set the age limit to 9+, which completely conceals the legitimate messaging apps.
The apps are still installed, but so long as the restrictions are enabled, the user can’t see or search for any apps that exceed the set age limit. And with access to the legitimate apps now blocked, there’s a higher chance that the target will use the fake app.
The fake malicious messaging apps were spyware, capable of collecting SMS and Telegram and WhatsApp chat messages, as well as device details, location, contacts, and stored photos.
The attackers didn’t manually manipulate the settings on the iOS devices, but rather used configuration profiles created with Apple Configurator 2, a tool for deploying devices in schools and business. The profiles are XML files that configure settings on iOS and Macs enrolled through an MDM.
Configurator 2 however only allows the for the creation of profiles with age restrictions for supervised devices and the ones in its investigation weren’t supervised. However using Configurator 2 to set the age restriction for Media Content to 9+, devices with that profile won’t display or allow interaction with apps above that age limit.
Cisco’s researchers note that a fair amount of user interaction is required to enroll a device in a malicious MDM platform, which might set off a target’s alarm bells. These steps include visiting a website via a link in an email or message, and trusting the remote management (MDM) process. However, if the attacker, say, called the target first and posed as technical support, it’s likely the user may willingly be guided through the process. Once enrolled, the attacker can push malicious profiles and applications to the device.
Talos Intelligence has posted a video demonstrating how an attacker could compromise an iPhone using this technique, all without using an exploit or convincing the victim into installing malware.
The company recommends auditing iPhone profiles and deleting any suspicious ones, as well as checking the restrictions menu to see if an age rating has been configured.