Malicious applications can be silently installed on millions of Apple devices, replacing legitimate apps – thanks to a vulnerability tied to the popular file-transfer feature AirDrop.

The vulnerability is mitigated in iOS 9, which is available to the public from today, although it is not fully fixed, we understand. However, fans are urged to upgrade if possible.

The flaw lies in the AirDrop file-sharing function, and allows apps to be installed on devices running iOS 7 and above – or almost all Apple devices in use today. It requires only that iOS devices have AirDrop enabled for an attacker to spread their malicious apps among iOS devices.

Research director Mark Dowd of Sydney's Azimuth Security reported the flaw to Cupertino, and says malicious apps will be installed regardless of whether an AirDrop sharing request is accepted.

"The flaw is exploitable over AirDrop, which means the target has to have AirDrop enabled and reachable by everyone," Dowd tells Vulture South.

"I have been able to chain this flaw together with several other tricks on iOS to install an arbitrary app that is signed with my enterprise certificate.

"I can also install the relevant enterprise provisioning profile on the device and mark it as trusted so that running the app won't cause a 'This app is signed by XYZ corporation – do you trust them?' dialog."

Dowd says the flaw, which allows apps like Mail or Phone to be replaced, does not rely on memory corruption and is "100 percent reliable."

The accomplished researcher chained the flaw together with several other iOS tricks to install on Apple devices an arbitrary app signed with his enterprise certificate.

Attackers could also bypass Apple's code-signing with that used in the TaiG jailbreak, but only for devices running iOS 8.4 and below.

Enterprise provisioning allows, for example, IT shops to deploy in-house developed apps across staff Apple devices without having to go through the App Store.

That attack vector has been used before in the so-called Masque attacks that affect devices running iOS 8.1.3 and below. The attack required victims to approve the install process before already-installed apps could be replaced or destroyed.

Dowd's attack does not require anything beyond the activation and connection of AirDrop devices. Users who reject a request to install apps from AirDrop will still be hosed, since the exploit will have already occurred.

"The only caveat with enterprise-signed apps is that the first time your app runs on a device, it triggers a prompt that asks the user if they trust the signing entity – I circumvent this prompt," he says.

Youtube Video

AirDrop is not activated by default, but it is a popular feature that many Apple customers use. More ambitious attackers with physical access to a phone can activate the function from the lock-screen, Dowd notes.

The directory traversal vulnerability means attackers can overwrite files at arbitrary locations on the file system as the mobile user. It lies in Apple's Bom.framework library utilized by various applications for compressing and decompressing ZIP and CPIO packages and installed by default on OS X and iOS.

Specifically the flaw lies in the CPIO package decompression and is triggered by a failure to ensure that a destination path is correctly NULL-terminated. This, Dowd says, essentially allows an attacker to perform a directory traversal attack, writing – and notably overwriting – files at an arbitrary location on the file system.

Dowd suspects other OS X and iOS applications are possibly vulnerable.

Compromised phones must be first rebooted so that the new app and provisioning profile is detected by services that scan the device during boot. ®