iPhone iOS Threat: Ins0mnia Never Sleeps

FireEye researchers discovered a vulnerability (ins0mnia) in iPhone iOS allowing potentially malicious applications to run continuously in the background, even after it appears that the user has closed them. This vulnerability, critically affects non-jailbroken iOS devices: malicious software designed to look benign and bypass the security measures taken by the Apple app store, all the while capable of potentially continuous data exfiltration. The Apple security team has confirmed the vulnerability and it has been patched with the release of iOS 8.4.1.

Ins0mnia is so named for the way in which it bypasses the normal security measures for putting apps to sleep in running background processes; malicious apps utilizing this vulnerability never have to stop background processes from actively running even after being closed. “For example, a music app may have legitimate reason to ask permission to access GPS location and microphone while working on the foreground, but few users would want the app to run in the background to continually monitor GPS locations and recording audio. The control by iOS is supposed to prevent such abuse of permissions.” This makes it invisible to users viewing the task switcher interface. Users think they have closed an application, while it continues to fully run in the background (potentially geared to exfiltrate any manner of data from your phone). The vulnerability takes advantage of the fact that applications that appear to be running a debug will continue to run, beyond the cut-off time (3 minutes) in processes for apps running ordinarily.

If you have an iPhone running iOS 8.4 or below, update or patch it immediately to guard against the vulnerability.

The Threat Researchers at FireEye have provided a POC demonstration video of the vulnerability in the YouTube link below:


See the FireEye article for a full technical breakdown: