Apple patched a vulnerability in iOS devices that could allow malicious applications to remain open for an unlimited time while remaining hidden from unsuspecting users, researchers said.
The flaw, patched by Apple in iOS 8.4.1, allows any iOS application to bypass Apple background restrictions which usually terminate an application after three minutes and prevent applications eavesdropping on users, said researchers at FireEye.
Devices running a version previous to iOS 8.4.1 remain open to the vulnerability.
Security researchers at FireEye said the flaw, called Ins0mnia, circumvents limitations imposed by Apple and can affect non-jailbroken devices.
“A malicious application could leverage the Ins0mnia vulnerability to run in the background and steal sensitive user information for an unlimited time without the user’s consent or knowledge,” said FireEye researchers Alessandro Reina, Mattia Pagnozzi and Stefano Bianchi Mazzone in a blog post.
“This sensitive information could then continuously be sent out to a remote server. This flaw could also be leveraged to drastically reduce device performance and system usability. It could even be used to drain the battery.”
Using the Ins0mnia flaw would involve fooling the device into believing an application was undergoing a debugging process. This then prevents the OS suspending the application after the usual expiration time.
If the attack is successful, the application will continue to run in the background even after removing the app with the task switcher.
The vulnerability could allow rogue applications to remain undetected.