Sophos spots a highly sophisticated series of attacks that illustrate some of the most common ways to attack iOS. Credit: Thinkstock I didn’t entirely mean to focus on Apple device security for most of this week (see here and here), but new Sophos research should interest any enterprise working to enhance security awareness. Breaking bad The research looks at 167 counterfeit apps used to scam iOS and Android users. Those that impact Apple’s mobile OS particularly stood out, as they show the increasing sophistication of malware authors. Sophos found these sophisticated attacks combine a range of weaponry, from social engineering, counterfeit websites, fake iOS App Store pages, and even an iOS app-testing website to get these fake apps to victim’s devices. Sophos warns the attacks may be operated by the same group and all the apps identified purport to be crypto, stock, and banking apps that steal from those using them. It is important to note that Sophos has shared details of these apps and they should now be picked up by malware detection apps. What attack vectors were used? What’s important for enterprise users to identify is what attack vectors were used to distribute these apps. Primarily, these are good examples of social engineering combined with sophisticated attempts at spoofing. For example, researchers identified an instance in which an attacker found a victim in a dating app who they eventually manipulated into installing a fake app that then attempted to steal a person’s cryptocurrency details. The attacks also used spoof websites that appear to be legitimate sites for known brands, and made use of ad hoc app distribution and quite-convincing App Store download pages, complete with fake customer reviews. Humanity is vulnerable What makes these convincing exploits dangerous is the constructed authenticity. It means people, including your employees, can easily fall prey to them. Once again, these attempts focus on the weakest link in any security chain – the humans using the equipment. What can enterprises do to protect themselves? It’s an argument for Zero Trust, I think. Not only are passwords insufficient protection for personal data, this is certainly so for corporate services and information. Just as I’d advise any iOS user, enterprises should at least deploy multifactor authentication to harden existing security protocols, though even this isn’t really enough. Network-based Zero Trust security models form another barrier to blunt the impact of attacks of this kind. Given that security today is a when, not an if, a move to adopt combined security protections makes it more likely data will remain secure even in the event one component of that protection is penetrated. Ad-hoc distribution was also used It’s also worth noting that in at least some of these cases, criminals made use of ad-hoc distribution (Sophos refers to Super Signature developer services) to evade Apple’s App Store process. This let them create what seemed to be real apps distributed by phony App Store pages, but built and managed completely outside the App Store process. These are the kinds of installations you’ll see a lot more of if mobile developers are forced to run App Stores in the same way as a multi-storefront shopping mall, rather than as high-class department stores. But I digress. The apps are malicious, and act like real apps, but are distributed via a fake App Store page. They never interact with Apple in any genuine sense, and it’s likely the developer services used are violating Apple’s developer license agreements. There are steps app store providers can take to mitigate against such attacks. Sophos suggests stores should add reputation and trustworthiness scores to app rankings, for example. Apple must… We know Apple watches out for such attempts made via the App Store. It terminated 470,000 developer accounts and rejected more than 200,000 enrollments over fraud concerns last year. It also removed 95,000 apps from the App Store for fraudulent violations, such as manipulating users into making purchases. But the use of ad-hoc app distribution in these violations led Sophos to recommend Apple create a new iOS warning message that lets users know if they are installing apps ad hoc outside Apple’s App Store. I completely agree with this approach. I don’t think beta testers would be turned off by such warnings when installing trial apps. I also don’t think enterprises who use small distributions of internally developed apps will have problems explaining such a warning to employees. The wider benefits in terms of adding a barrier to the installation of a criminal apps distributed through smart social engineering and convincing fakery far outweighs the friction of receiving such a warning in the first place. All the same, the cat-and-mouse game between online services, entities, users, and enterprises against cybercriminals continues to become ever more complex, and humans remain the weakest link in the security chain. On any platform. Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe. Related content news analysis Apple earnings: About that iPhone 'slump' in China Based on information from Thursday's earnings report, it seems that data pointing to an iPhone slump in China were over-baked. By Jonny Evans May 03, 2024 9 mins iMac iPhone Apple news analysis Apple confirms it will open up the iPad in Europe this fall The latest efforts to comply with Europe’s Digital Markets Act mean developers can offer to side load apps to both iPhones and iPads in the EU. Apple has also taken steps to improve what it offers to smaller and non-commercial developers in the By Jonny Evans May 02, 2024 6 mins iPad Apple Mobile Apps news Mosyle and Fleet bring new device management options to Apple enterprise Apple's growing enterprise market share is generating tons of opportunity for the company's partners in the device management market. Their approaches reflect the diversity of use. By Jonny Evans May 01, 2024 4 mins Apple Mobile Device Management Mobile Security feature Apple is intensely focused on its global AI efforts When the ship that is Apple moves in any direction, you can always count on careless whispers to expose the destination. From research labs to sophisticated AI models and Apple Silicon for server farms, here's what we've learned in just one By Jonny Evans Apr 30, 2024 6 mins Apple Artificial Intelligence Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe