A digital security company has discovered another new security flaw in Apple’s iOS iPhone software that allows hackers to record all of a user’s screen taps and log all of their keystrokes.
Network security firm FireEye found the new bug, which allowed researchers to take advantage of the way iPhones run applications in the background to install a “monitoring” application on a standard, non-jailbroken iOS 7.0.4 device.
The monitoring app runs constantly in the background and records “every character the victim inputs,” according to an Ubergizmo report. That includes every tap of the screen — including keyboard strokes — essentially collecting everything an iPhone user does on their device in secret, and transmitting it outside the smartphone into the web-wild.
Though the option exists to disable the “Background App Refresh” in iOS, which would close apps running in the background, the hack also allows the monitoring application to disguise itself as a music app, which would then continue to record data activity.
FireEye has yet to reveal exactly how it was able to install the app on an iPhone, which employs strict programming to prevent this exact form of app sideloading. The firm said the security exploit exists on iOS updates since 7.0.4, and can also be performed on jailbroken devices that have been hacked off a proprietary network like AT&T or Verizon.
Apple has yet to comment on the flaw, the latest in a series of security vulnerabilities exposed since Friday that revealed iPhones, iPads and Macs could be hacked to steal users’ private data — including emails, account logins, and credit card numbers — while connected to public WiFi networks.
FireEye said it is working with Apple to fix the security flaw.