Phishing for credentials: iOS pop-up deception through sideloaded apps

In this blog, Jamf Threat Labs showcases how malicious actors deceive users. By mimicking authentic Apple pop-up messages in the native iOS style, a false sense of security is created, prompting users to instinctively input their credentials.

May 30 2024 by

Jamf Threat Labs

Drawing off an iPhone with hacker hiding under an app as if they were removing a manhole cover.

Authors: Hu Ke and Nir Avraham

Phishing, an ever-looming threat, continues to prevail as the most effective method for attackers, with mobile devices being particularly vulnerable. Statistics indicate a staggering 50% higher success rate of phishing attacks on mobile devices compared to Macs, with 9% of users succumbing to such tactics.

Why is phishing success higher on mobile than on desktop?

Recent findings from Jamf Threat Labs validate a technique utilized by threat actors exploiting sideloaded apps to fabricate deceptive alert messages mirroring authentic Apple iOS prompts. We delve into this technique, shedding light on how these deceptive pop-ups mimic genuine iOS interfaces and trick unsuspecting users into divulging sensitive credentials.

It's crucial to understand that in the modern world, our personal information is constantly at risk. With personally-owned mobile devices being used to access work resources and business data, that risk extends to the workplace. Blurred boundaries between devices used for work and personal purposes further complicate security and privacy matters. Regardless of whether you have a corporate-issued mobile device, the prevalent trend of employees using personal devices for work-related tasks is underscored by the 87% of businesses relying on their employees using personal smartphones to access business apps.

With the average number of devices being 3.6 per person globally, the attack surface for cyber threats has significantly expanded. Bad actors are capitalizing on this increased vulnerability by deploying sophisticated phishing tactics to steal credentials. Constantly evolving, they mimic authentic modern endpoint experiences while making their deceptive efforts harder to detect. Attackers use realistic interfaces and convincing communication to lure users into revealing sensitive information, heightening the risk of data breaches in an era where multiple devices are integral to daily life.

As attackers employ sophisticated tactics, it's vital for users to remain vigilant and informed. Visual cues associated with iOS apps, once reliable indicators of authenticity, are now being manipulated by threat actors to effectively open the door to compromise endpoints without hesitation or so much as a second thought from users.

Phishing pop-ups

Consider this scenario: you encounter a pop-up window asking for login information while using your iOS device. It appears authentic, seamlessly blending with the interface you're accustomed to. However, upon closer inspection, subtle discrepancies may betray its malicious intent. These deceptive pop-ups, resembling genuine iOS prompts, are designed to lure users into a false sense of security. Ultimately leading to the compromise of personal information or worse — business credentials used to access work resources.

Determining real vs fake

The tactic above is more distinguishable when using Safari compared to other parts of the iOS experience because the pop-ups are foreign to the user’s experience. No doubt resulting in hesitation from the end user to input their iTunes credentials on a website.

That said, the visuals and understanding of the browsing experience on iPhone or Mac are familiar enough that attempts to use deceptive pop-ups — despite not “feeling right” — still manage to deceive many users. It’s a distinct difference that doesn’t fool everyone but may trick just enough users to hand over their credentials successfully.

Pop-up windows on iOS apps on the other hand are less foreign in their nature and much harder to distinguish deceptive pop-up windows. To make this even more complex and harder to detect what’s genuine versus what’s being triggered by a threat actor is the ability to sideload third-party apps.

To further illustrate the gravity of this threat, let's examine a demonstration involving the modification and sideloading of the Facebook app. Sideloading, the practice of installing applications from sources outside the official App Store, presents many inherent risks to device and organizational security postures. By exploiting developer accounts and modifying app signatures, attackers can distribute malicious apps capable of harvesting sensitive data as they hide in plain sight.

In our demonstration, we showcase the process of modifying the Facebook app to intercept user keyboard input data, all while maintaining the app's baseline functionality. This modified app is sideloaded onto the iOS device, presenting a significant challenge in distinguishing the malicious version from the genuine version. So, what does this look like and how can you investigate if the app is sideloaded and exploited to mitigate the threat? Let’s look at the technique in more depth, outlined by Jamf Threat Labs.

Technique and insights led by: Hu Ke and Nir Avraham

Disclaimer

The following demonstration technique involving Facebook is intended solely for educational purposes. It is designed to illustrate potential threats present on popular social media platforms and is not intended to encourage or facilitate any illegal or unethical activities. The example provided is based on real-world scenarios to highlight the importance of cybersecurity awareness and best practices for protecting personal and sensitive information online.

Jamf does not condone or endorse any unauthorized access, exploitation, or manipulation of Facebook or any other platform or service.

Any actions taken as a result of this demonstration are the sole responsibility of the individual(s) conducting them. We do not condone or endorse any unauthorized access, exploitation, or manipulation of Facebook or any other online platform.

Users should adhere to all applicable laws, terms of service, and ethical guidelines when using social media platforms and conducting cybersecurity research or demonstrations.

Invisible phishing: risks of sideloading

Crafting the malicious app

  1. First, we need to acquire the original app’s .ipa file. After decompressing it, we package the code we intend to inject into a .dylib file — the libcode.dylib file (shown below) — and place it in the Frameworks folder.
  2. Next, we modify the header of the main binary so that it compulsorily loads our custom library code every time the app is launched.
  3. Finally, we repackage everything back into a .ipa file, and it's ready to be distributed.

Distributing the malicious app

This phase involves installation through a sideloading platform, which includes dealing with the code signing aspect. A completely free option is AltStore, which permits the installation of any .ipa file on a personal device with a free developer account.

Note: Apps installed via sideloading could have the identical name and bundle ID as the genuine versions of the app without affecting the user experience.

ProTip: Navigating to Settings | General | iPhone Storage, you can view the size and version of each installed app. By comparing sideloaded apps and those downloaded from the App Store, you'll notice several differences. Ex. sideloaded apps do not display the developer’s name, such as "Meta Platforms, Inc.," as seen in the example. Also, they also lack the option "Offload App.”

In observance of ethical disclosure, we won't share the code used in this demonstration. Simply stated, the malicious code hooks the textFieldDidChange: and textViewDidChangeSelection: text input classes commonly used by Facebook apps and can be obtained through reverse engineering. Then, whenever the text in the textbox changes, it extracts the content and sends it to our server.

Demo Video

Conclusion

While sideloading offers flexibility, allowing users to install apps not available on the App Store, it also introduces various security vulnerabilities. Sideloaded apps may masquerade as genuine app versions, making detection challenging for end users. Discrepancies in app details, such as missing developer information, serve as subtle indicators of potential threats.

The implications of these advanced phishing techniques are profound. With over 90% of cyber attacks originating from phishing attempts, according to Jamf Threat Labs research, it's evident that mobile users must exercise caution.

Jamf offers comprehensive mobile security solutions designed to identify and thwart sophisticated attacks, safeguarding both personal and business data. Integrating robust mobile security measures into your defense strategy is now more necessary than ever to mitigate increasing risks.

Jamf mobile security solutions protect your devices, users, data and privacy.