By the way, the severity of this particular exploit is low. The malware encrypts and uploads the following:
- Current time
- Current infected app’s name
- The app’s bundle identifier
- Current device’s name and type
- Current system’s language and country
- Current device’s UUID
- Network type
It looks a lot more like a proof-of-concept than serious malware.
Reminder, developers - be careful where you get your development tools! (At least the idiots in China who downloaded this should have made sure the checksums matched!)
Whoops, it is worse than I read at first:
Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:
- Prompt a fake alert dialog to phish user credentials;
- Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
- Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.
Apple should auto-remove the offending apps from affected devices, though I didn’t see that confirmed anywhere.