Security researchers have discovered “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store.

The affected versions of this library embedded backdoors in iOS apps that used the library to display ads, opening the door for hackers to access sensitive user data and device functionality. Mobile security researchers at FireEye have identified 2,846 iOS apps containing backdoored versions of mobiSage SDK.

Many of these phoned home to an ad server capable of delivering JavaScript code to control the backdoors. FireEye supplied Apple with the complete list of affected apps and technical details on 21 October, prior to going public with its discovery this week.

Malicious JavaScript code from a remote server could be used to do all manner of mischief on vulnerable devices including capturing audio and screenshots, monitor and upload device location, “side-loading” non-App Store apps by prompting the user to click an “Install” button and more. Thankfully nothing too malicious has happened as yet, as FireEye explains.

While we have not observed the ad server deliver any malicious commands intended to trigger the most sensitive capabilities such as recording audio or stealing sensitive data, affected apps periodically contact the server to check for new JavaScript code. At any time, malicious JavaScript code that triggers the backdoors could be posted, and it eventually would be downloaded and executed by affected apps.

FireEye's blog post – which lays out the technical details of its discovery – can be found here.

Ghost in the shell

The latest threat is separate from a fresh outbreak of the XcodeGhost malware, another iOS threat, that was also subject to a warning from FireEye this week. The threat – which began in China – has recently surfaced in the US, the security firm warns.

Tod Beardsley, security research manager at Rapid7, the firm behind the Metasploit pen testing tool, said that the latest wave of XcodeGhost (like the one before) relies on developers following insecure practices.

“While it's troubling to see Trojaned applications continue to pop up on Apple's App Store, it's important to remember that XCodeGhost (and its variants) still rely on software developers to break at least two rules when it comes to installing developer tools.

“First, developers must seek out a an unofficial source for XCode, the development platform for iOS, and second, they must affirmatively bypass Gatekeeper, the anti-malware system that is designed to prevent installation of unsigned application binaries,” he added. ®