The exploit reportedly targets a flaw in iOS multitasking capabilities to capture user inputs, according to Security researchers at FireEye.
They found a way to bypass the Apple's app review process effectively and created a proof-of-concept Monitoring app for non-jailbroken iOS 7.0.x devices.
The "monitoring" app, that runs in the background of the iPhone is a Keylogger Trojan which could allow hackers to monitor user's activities on the mobile device, including - touches on the screen, home button press, volume button press and TouchID press, and send all collected events to any remote server.
"Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring." FireEye researchers said.
In iOS devices, the application running in the background keeps on refreshing itself; but the researchers also noted that disabling iOS 7's "Background App Refresh" setting would not restrict a malicious app from keylogging.
"For example, an app can play music in the background without turning on its "background app refresh" switch. Thus a malicious app can disguise itself as a music app to conduct background monitoring." FireEye explained, So the only present solution to the problem is to manually remove apps from the task switcher.
Earlier this week, Apple has issued an urgent update iOS 7.0.6 in response to a SSL vulnerability that might allow hackers to bypass SSL/TLS verifications on shared and public networks and steal users information from affected devices, including log-in usernames and passwords, as well as other sensitive information.
The Security firm is actively working with Apple on the issue, but until the release of next iOS update, the only thing iOS users can do - Check and monitor the unnecessary applications running on the device via Task Manager and KILL THEM.
Last month, Trustwave's Neal Hindocha also demonstrated that even Smartphone screen swipe gestures can be analyzed by hackers and as a proof-of-concept he developed a prototype 'Screenlogging' malware for the iOS and Android Smartphones that works the same as a keylogger software for desktop.
Last month, Trustwave's Neal Hindocha also demonstrated that even Smartphone screen swipe gestures can be analyzed by hackers and as a proof-of-concept he developed a prototype 'Screenlogging' malware for the iOS and Android Smartphones that works the same as a keylogger software for desktop.
