Attackers have discovered a method to monitor user input through malicious apps found in the App Store.
iOS Data Theft: SlowMist’s App Store Discovery
Cybercriminals have devised a plan to steal user data using the iOS operating system’s WKWebView component. SlowMist analysts reported this on Twitter, identifying malware capable of data theft within the Chinese section of the App Store.
As per a victim’s complaint, attackers can mimic Apple’s authorization form using WKWebView, tricking users into entering their email and password. Once sensitive data is obtained, the attackers add the devices to the list of home devices, enabling purchases from the victim’s device.
Stolen data is also utilized to fake the victim’s number and evade two-factor authentication restrictions. All users who utilize iCloud cloud storage for crypto wallet authentication are affected by this scheme, though the full extent remains unclear.
WebView has been previously exploited for iOS security breaches. In 2014, a similar data hijacking scheme was identified by Craig Hockenbury, a developer of the Twitter client for iOS. In 2016, IT security experts revealed that cybercriminals could make unauthorized calls from a victim’s device through WebView with just a single line of HTML code.
In late June, we reported on a counterfeit version of the Trezor Wallet mobile app surfacing in the App Store. The fake clone quickly rose to the top of search results for US and UK users. Although it remained in the marketplace for weeks, the extent of data accessed by the attackers remains uncertain. The fake app has since been removed by App Store moderation.