Versions of a popular Chinese mobile ad library have been backdoored with capabilities that can be used to surreptitiously record audio and steal data stored on thousands of iOS devices.

Versions of a popular Chinese mobile ad library have been backdoored with capabilities that can be used to surreptitiously record audio and steal data stored on thousands of iOS devices.

Researchers at FireEye said today they have found 17 backdoored versions of the mobiSage SDK (versions 5.3.3 to 6.4.4); the offending behaviors are not present in the most up to date version, 7.0.5.

Senior director of security engineering Raymond Wei told Threatpost that it’s unknown whether parent company adSage dropped the malicious capabilities into the SDK, or whether it was a third party such as a criminal or state-sponsored operation.

“It’s hard to know; we don’t have that level of intelligence,” Wei said. “There are some reasons why an ad network would want to collect information beyond the normal use. Ad libraries can become very aggressive to gain an advantage over their competitors if they can collect more information. But recording audio in the background goes beyond the ad library’s functionality.”

Wei suspects the infected ad library moved through a distribution channel in China where developers were downloading it and using it in the development of new apps without suspecting it was backdoored.

“It is difficult to say whether developers got the infected library directly from the company or are they infected in transit, just like with XcodeGhost,” Wei said. “We cannot determine that at this point.”

FireEye identified 2,846 iOS apps in the Apple App Store running backdoored versions of mobiSage; there have been more than 900 attempts to contact an ad server from which an attacker could remotely send JavaScript commands. As of today, none of those 900 attempts resulted in malicious JavaScript being sent via the backdoor, FireEye said.

The capabilities exist to record audio and screenshots from an iOS device. An attacker could also monitor and upload device and location data, modify files in the app’s data contain, read or reset the app’s keychain, post encrypted data to third-party servers, launch other apps on the device, or side-load third party apps.

FireEye said it notified Apple on Oct. 21, providing it with a complete list of affected apps, and technical details. Wei said the researchers have no confirmation of actions taken by Apple against the apps, which found their way into the App Store.

“All those activities and actions are legitimate under certain circumstances. For example, there are legitimate apps that can record audio. The only difference is that the audio apps are supposed to prompt the user with a clear notification so that the user can say ‘Yes,'” Wei said. “It is probably not so straightforward for the App Store review to identify that these apps can perform these actions secretly in the background.”

In its report, FireEye provides technical details on the backdoor, which is said has two components, one called msageCore, which implements the backdoor functionality and exposes interface to JavaScript. The JavaScript component is called msageJS and it provides execution logic and can trigger the backdoors by invoking interfaces exposed by msageCore, FireEye said.

In these interfaces, FireEye discovered the capabilities in the library such as the ability to capture audio and screenshots and other spying features such as stealing passwords.

“This is a very surprising discovery that an ad library can be distributed so widely and can get a [malicious] app published in the App Store,” Wei said.