Hackers Bypassing the App Store to Install Spy Apps on iPhones

This isn’t a completely new concept – hackers have been attacking iOS for some time now. Usually, this requires any attacker to not only have physical access to the device, but also requires them to remove certain restrictions from the device, known as a ‘Jailbreak’.

Jailbreaking essentially allows the hacker (or more technical-minded users who jailbreak willingly) access to the deeper file systems of iOS, without the protection of Apple’s security protocols, allowing them to then install essentially anything they want. For hackers this is usually spyware to monitor their victims device and steal their data.

Luckily for iOS users, a jailbreak is not usually something you need to worry about as long as you have a newer iPhone or iPad and you keep it updated to the latest version. This is perhaps why we’ve seen a new method of attack becoming more prevalent in recent times.

With these new attacks, hackers are completely bypassing not only the App Store, but also the need to Jailbreak a device in order to install their illicit software. This is achieved by utilizing Apple’s Developer or Enterprise programmes.

Developer Apps

Developer apps exist to help developers create and test apps before they are published on the official App Store. Normally, developers would install these test apps to an iOS device by connecting it to a computer via USB. This means that the test apps don’t need to be uploaded to the App Store and therefore don’t have to pass their strict checks. Hackers are using this to their advantage and using Developer apps as a way to get data stealing apps onto a victim’s phone.

If a hacker creates a malicious app in advance, all they need to do is get hold of the victim’s phone for a short period of time and load it from their computer. Typically, they will then hide the app in an app folder like ‘Utilities’, so it will go unnoticed for as long as possible.

During installation the hackers need to digitally sign Developer apps in order for them to work. To do this they can either use a standard free Apple ID, in which case their malicious app will stay active for 7 days. Or if they purchase a Developer Account from Apple (just $99), the spy app will work for up to 365 days, if unnoticed.

Enterprise Apps

The ability to create and use Enterprise apps was designed by Apple for use by companies and organisations to distribute apps internally amongst their teams without making them publicly available on the App Store. However, hackers have turned this feature into a way for them to trick unsuspecting users into installing their malicious apps.

Unlike Developer apps, hackers do not need physical access to the victim’s phone in order to install an Enterprise app. They simply need the victim to download the app.

One such example of this was an attack coined ‘Exodus’. This was an attack formulated by hackers targeting users of a phone network in Italy and Turkmenistan. Hackers used social engineering techniques (such as posing as a legitimate staff member, etc) to persuade users into installing and giving access to their apps designed to steal their information and monitor their activity.

Enterprise apps are also commonly found on knock-off versions of the App Store, used by people looking to get paid games or apps for free (Such as free access to the paid version of Spotify), or download modified versions of popular apps such as Instagram and Youtube to get additional features not included by the original developer.

iPhone users should be wary of 3rd party app stores as their apps are not verified by Apple and often contain malicious code that could compromise your device and private information.

What’s Apple doing about this?

The good news is that Apple have been pretty good at staying on top of these apps and closing down associated Enterprise/Developer accounts whenever they are discovered. This stops the app from working and essentially removes the electronic profile used by the hacker/developer.

The one problem here is that if a hacker is operating on a smaller scale with more targeted victims, they could easily fly under Apple’s radar or even just switch accounts if they get caught.

How do I check my iOS device for this type of hack?

Luckily, it’s pretty simple to check for this type of hack by doing the following:

Step 1. Go to the Settings app and tap ‘General’.

Step 2. Scroll down and tap on ‘Profiles & Device management’.

If you don’t see this option in the menu then that means you don’t have any profiles installed on your device and you are currently safe from this type of attack.

Step 3. Check the page for any Developer or Enterprise profiles.

There may be legitimate reasons for developer/enterprise apps being installed on your device. If you see an app you don’t recognize, send details to [email protected] for analysis.

Step 4. If you wish to delete a developer/enterprise app, just tap the app’s name and then tap ‘Delete App’.

Can I check my iPhone for other spyware?

Enterprise/developer apps are just one way that hackers can use to gain access to your personal data. There are many other ways. At Certo, we specialize in detecting iPhone spyware through the various means of attack that hackers use to steal your personal data.

Our industry-leading iOS spyware detection tool, Certo AntiSpy, will check your device and alert you to any installed spyware, even those that are completely hidden from view.