Hackers targeting mobile and tablet devices can use an advanced form of Masque Attack to mirror popular apps like Facebook, Twitter and WhatsApp and steal sensitive information.
The threat was revealed by security firm FireEye at the Black Hat security conference in Las Vegas, after researchers analysed the 400GB of data logs leaked from Hacking Team last month.
The researchers found that all major mobile operating systems, including iOS, Android, Windows and BlackBerry, were targeted by the Italian surveillance company.
FireEye found a Remote Control System designed to hack into jailbroken iOS devices, but it was the calculated attempts to siphon data from non-jailbroken devices that was of most interest.
Logs from Hacking Team show that the firm had the ability to send a weaponised variant of 'enpublic' applications, unofficial versions of apps, to steal sensitive information and upload it to a remote server.
Furthermore, FireEye researchers found a remote control app that targets non-jailbroken devices by downloading Masque Attack apps from a remote server. Each of these apps featured a control panel to configure the behaviour of the malicious application.
Simon Mullis, global technical lead at FireEye, told V3 that the main difference between this version and the previous iterations of Masque Attack is that they are now being spotted "in the wild".
"Not only that, but they're being used as part of a sophisticated 'suite' of tools by a targeted attacker. We have found 11 reverse-engineered and repackaged versions of a variety of popular apps, all to be used to steal sensitive information and spy on end users," he said.
"One of the most interesting revelations is the level to which the attack infrastructure was pre-prepared to use every available method possible to compromise the intended victims in the form of a mobile attack suite.
"We see all major mobile OSs being impacted, from Android, Apple iOS, Windows phone via BlackBerry to Symbian, with the ultimate aim being persistent remote control of the end user's device."
The threat targets a security flaw, since patched by Apple in new OS versions, that allows a malicious iOS app with the same file name (bundle ID) to replace a legitimate app.
The Masque Attack app has to be signed with an enterprise certificate and the user has to click through a warning before it is activated.
Nevertheless, the 11 Masque Attack applications uncovered by FireEye are repackaged popular social network apps including Facebook, Twitter, WhatsApp and Skype.
As the bundle IDs of the falsified, and compromised, applications were the same as genuine versions they could directly replace apps on iOS devices prior to 8.1.3. The planted applications would then steal data from a user's phone or tablet and transfer it to a remote server.
FireEye explained that the Masque Attack is one of the most advanced it has discovered as it shows that "attackers are finally putting some real rigour behind smartphones, tablets and Apple products".
"The threat landscape of global mobile security is evolving to a new era, where attackers start to exhaust every possible vulnerability to obtain capabilities and privileges, and trying to evade detection and stealthily control the victim devices persistently," the report stated.
The research suggests that the Hacking Team leak has released this Masque Attack threat into the wild for hackers to exploit, but it is important to note that people who download applications from official stores should remain protected.
V3 has asked Apple and Google for comment, but had received no reply at the time of publication.
Earlier this year, Masque Attack II was found to be targeting Apple iPhone and iPad devices.
Jason Steere, director of technology strategy at FireEye, told V3 at the time that Masque Attack II was more dangerous as it is capable of "bypassing iOS prompts for trust and iOS URL scheme hijacking".
"Even if the user has always clicked ‘Don't Trust', iOS still launches that enterprise-signed app directly on calling its URL scheme," he said.
"In other words, when the user clicks on a link in SMS, iOS Mail or Google Inbox, iOS launches the target enterprise-signed app without asking for the user's ‘Trust' or even ignoring the user's ‘Don't Trust'."
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal
Microsoft, Google and Samsung all targeted as Avast admits to the scale of the CCleaner compromise
Not all loose ends tied yet, admits Bain backer SK Hynix