Apple's ad hoc provisioning feature for iOS apps is being used for a new malware phishing attack on the iPhone and iPad. The threat, dubbed XAgent, collects contacts, location information, installed app lists, photos, and text messages, and more.
XAgent malware can hit iPhones that aren't jailbroken
The threat was found by the security research company Trend Micro said XAgent doesn't require victims use jailbroken iOS devices. The company said the malware is very advanced, and that it's similar to the SEDNIT threat for Windows. Jailbreaking is a process where iPhone users hack their device so they can install apps that aren't approved for distribrution through Apple's App Store.
Trend Micro said,
The XAgent app is fully functional malware. After being installed on iOS 7, the app's icon is hidden and it runs in the background immediately. When we try to terminate it by killing the process, it will restart almost immediately.
Installing the malware into an iOS 8 device yields different results. The icon is not hidden and it also cannot restart automatically. This suggests that the malware was designed prior to the release of iOS 8 last September 2014.
Just how XAgent gets installed is still a mystery, although Trend Micro has seen a case where potential victims were presented with a dialog telling them to tap to install an application. They also say it may be possible to infect an iPhone by connecting it via USB to an infected Windows PC.
For users presented with a dialog asking them to install an app, they'll get a follow up warning that the software is from an untrusted developer which should be a red flag to stop the process.
Ad hoc provisioning is a feature where developers can distribute apps without going through Apple's App Store. It's intended for legit uses, such as companies that need to distribute custom apps to their employees.
Unless you're expecting to use an app through ad hoc provisioning, it's a good rule of thumb to stay away from surprise dialogs asking you to download and install software, especially if it's coming from an unknown source.